In a pair of sweeping directives that will have far reaching implications for healthcare providers and their patients, the Office for Civil Rights (OCR) issued guidance and FAQs through which the agency details that it will waive potential penalties against healthcare providers for violations of the HIPAA privacy, security, or breach notification standards when it involves the “good faith” use of many widely available internet messaging and videoconferencing applications to provide telehealth [i] treatment services to a patient during the COVID-19 nationwide public health emergency.
OCR said its goal is to ensure that healthcare providers and patients can use electronic information and telecommunications technology to provide health treatment services that can be safely performed without an in-person encounter to limit the spread of the COVID-19 virus. No penalties will be applied to HIPAA violations by a healthcare provider in the good faith use of a non-public facing remote communication product for telehealth services. The scope of services that can be provided through telehealth is not limited to services related to the diagnosis and treatment of health conditions related to COVID-19.
Who is Covered?
According to OCR, all health care providers [ii] that want to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. Health insurance companies and others that “merely” pay for telehealth service are not covered by OCR’s policy to use enforcement discretion.[iii]
There is uncertainty when a health insurance company has employees or contracted healthcare providers engaged in the provision of telehealth services as a member benefit to enrollees. For example, some insurers have registered nurses available to answer health questions by telephone or text messaging.[iv] Until OCR issues further guidance clarifying how the policy for enforcement discretion would apply to a health insurance company or payer, these organizations may wish to carefully review that telehealth services they are providing fully comply with the HIPAA privacy, security, and breach notification standards.
What is Covered?
OCR will apply its policy to not impose penalties against healthcare providers for noncompliance with the requirements of the HIPAA Rules for the “good faith” provision of telehealth using non-public facing audio, messaging, or video communication products. For example, if a healthcare provider follows the terms contained in the Notification of Enforcement Discretion and the guidance contained in the accompanying FAQ, they will not face HIPAA penalties if it experiences a cybersecurity incident that exposes protected health information from a telehealth session.
What is Good Faith?
The HIPAA Rules do not define “Good Faith.” However, OCR describes good faith as being the provision of telehealth by a healthcare provider through use of a non-public facing remote communication product. In its FAQ document, OCR detailed what may constitute “bad faith” in the provision of telehealth by a healthcare provider that would not be exempt from imposition of a penalty.[v] In weighing if a healthcare provider’s use of telehealth services is provided in good faith and covered by the notice, OCR states that it will consider all facts and circumstances when making the determination to impose a penalty on the provider for violating the HIPAA Rules.
What Remote Communication Products are Covered?
A health care provider that wants to use audio or video communication technology to provide telehealth to patients can use any non-public facing remote communication product that is available to communicate with patients. The guidance issued by OCR defines a non-public facing remote communication product as one that by default allows only the intended parties to participate in the communication. OCR provides examples of popular non-public facing applications that could be used by providers to use in providing telehealth services through video chats or text messaging.[vi]
The use of public facing remote communications products are unacceptable means of providing telehealth services because they are designed to be open to the public or allow indiscriminate access to the communication. OCR specifically calls out applications like Facebook Live, Twitch, TikTok, or a chat room like Slack as examples of commonly available applications that could expose the healthcare provider to imposition of a penalty if used in connection with the provision of telehealth treatment services.
When Does the Period of Non-Enforcement End?
OCR’s policy of using enforcement discretion to not impose penalties against healthcare providers for the “good faith” provision of telehealth has no set expiration date. The guidance and FAQ tie the development of the policy to the declaration of the COVID-19 National Emergency. OCR says it will provide a notice to healthcare providers and the public prior to changing its policy of how it enforces the HIPAA rules.
Questions to Consider
OCR’s use of its enforcement discretion allowing for use of common telehealth technologies leaves a number of unanswered questions. Healthcare providers should carefully review their practices to assess the regulatory and information security risks posed by the use of commonly available technologies for telehealth.
For example, state attorney generals have authority to levy fines and penalties for violations of the HIPAA rules. The HITECH Act does not condition the jurisdiction of a state attorney general to enforce the provisions of the Privacy, Security or Breach Notification Rules on OCR’s policies. A healthcare provider that experiences a breach as a result of using telehealth services in a way that does not comply with the HIPAA standards, could still be subject to fines or penalties. Healthcare organizations must also determine what state laws would preempt employing popular consumer video communication applications for telehealth treatment services or set breach notification requirements that would be layered on top of the HIPAA rules. A number of states have data protection or consumer privacy laws whose requirements are more stringent than the HIPAA privacy, security or breach notification standards. Still other states have laws that would have provided a safe harbor for healthcare providers and others so long as they were acting in compliance with the HIPAA rules. Healthcare providers should review the data protection and consumer privacy laws that may be applicable to telehealth services to ensure that their activities are in compliance.
Information privacy and security teams will have to be proactive in working with healthcare providers using commonly available technology to communicate with patients or provide telehealth services. For example, use of internet facing personal communication devices are more vulnerable to cybersecurity threats when used with Wi-Fi connections that are not secure. Hackers have wasted no time to exploit the coronavirus pandemic to attack healthcare organizations as well as patients looking for testing and treatment. We have seen examples of phishing attacks disguised as emails being sent to mimic announcements from the Centers of Disease Control (CDC). Another cybercriminal created a phony map to pinpoint coronavirus cases but actually inserted malware that would steal usernames, passwords, credit card information, and other sensitive data stored on the device. Healthcare organizations must carefully monitor traffic on their information networks and look into unusual activity that could represent an intruder scanning for sensitive data or exfiltration of files stored in the system.
Widespread proliferation of telehealth communication services has long been hoped to facilitate convenient healthcare provider-patient communication. The efforts by the federal government to ease the compliance burden during an unprecedented health emergency, promising not to enforce the HIPAA standards against healthcare providers when providing telehealth treatment, changes how healthcare organizations manage the privacy and security of patient information. Healthcare organizations should approach OCR’s policy of enforcement discretion with eyes-open to the far-reaching regulatory and information security challenges that may result through the widespread adoption of commonly available internet-based messaging and videoconferencing technologies.
Please contact email@example.com if we can assist you with any questions about the requirements of the HIPAA Privacy and Security Rules or to assist you in securing your information system from cybersecurity incidents.
[i] OCR’s Notice of Enforcement Discretion refers to the Health Resources and Services Administration (HRSA) definition of telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional-related education, and public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications.
[ii] For the purposes of OCR’s Notice of Enforcement Discretion applies to all health care providers that are covered by HIPAA and provide telehealth services during the emergency. A health care provider is a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health care providers may be “covered entities” or “business associates”. Examples of health care providers include physicians, nurses, advance practice nurses, physician assistants, clinics, hospitals, home health aides, therapists, counselors, other mental health professionals, dentists, pharmacists, laboratories, and any other entity that provides health care.
[iii] FAQs on Telehealth and HIPAA during the Covid-19 nationwide public health emergency; 2. What entities are included and excluded under the Notification of Enforcement Discretion regarding Covid-19 and remote telehealth communications?
[iv] United Healthcare; Member.UHC.com; Contact Us/Ask a Nurse “Registered nurses are available 24/7 to answer your health questions.”
[v] Some examples of what OCR may consider a bad faith provision of telehealth services that is not covered by the Notice of Enforcement Discretion:
- Conduct or furtherance of a criminal act, such as fraud, identity theft and intentional invasion of privacy;
- Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g. sale of the data, or use of the data for marketing without authorization);
- Violations of state licensing laws or professional ethical standards….; or,
- Use of public-facing remote communications products, such as Tik-Tok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
[vi] Examples of non-public facing remote communications products to provide telehealth without risk that OCR may impose a penalty for failing to comply with the HIPAA Rules are videoconferencing applications like Apple FaceTime, Facebook Messenger video, Google Hangouts video, or Skype. Such products would also include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts. These are examples and not intended to provide an exclusive list of non-public facing remote communications products.