Healthcare providers may provide treatment services to patients using a variety of non-public facing telehealth technologies without complying with the requirements of the HIPAA Privacy and Security standards. The Office for Civil Rights (OCR) issued guidance that it will use its enforcement discretion to not impose penalties against healthcare providers who communicate with patients or use telehealth services that do not comply with the requirements of the HIPAA standards while the COVID-19 national emergency declaration remains in effect.
According to OCR, a healthcare provider who is a HIPAA covered entity that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR’s use of enforcement discretion applies to treatment services provided through telehealth for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
The guidance issued by OCR provides examples of popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to provide telehealth without risk that OCR may impose a penalty for failing to comply with the HIPAA Rules. However, the guidance specifically calls out applications Facebook Live, Twitch, TikTok, and similar video communication applications that are public facing that should not be used in the provision of telehealth by healthcare providers.
Providers are encouraged to notify patients that the use of third-party applications that are not HIPAA compliant potentially introduce privacy risks. Providers are advised to enable all available encryption and privacy modes when using such applications.
OCR’s use of its enforcement discretion allowing for use of common telehealth technologies leaves a number of unanswered questions. The agency specified that the enforcement discretion applies to healthcare providers that are covered entities. Business associates contracted to provide treatment services like physician groups, radiology consultants, and other managed service providers might be subject to sanctions for using videoconferencing applications that do not meet HIPAA’s security requirements. Healthcare organizations must also determine what state laws would preempt employing popular consumer video communication applications for telehealth treatment services. How are providers to add the telehealth encounters into the patients’ treatment records or to meet the Privacy Rule’s requirements to give patients’ access to copies of the recordings or physician notes from telehealth treatment sessions.
Information privacy and security teams will have to be especially vigilant against hackers who have wasted no time to exploit the coronavirus pandemic to attack healthcare organizations as well as patients looking for testing and treatment. We have seen examples of phishing attacks disguised as emails being sent to mimic announcements from the Centers of Disease Control (CDC). Another cybercriminal created a phony map to pinpoint coronavirus cases but actually inserted malware that would steal usernames, passwords, credit card information, and other sensitive data stored on the device. Healthcare organizations must carefully monitor traffic on their information networks and look into unusual activity that could represent an intruder scanning for sensitive data or exfiltration of files stored in the system.
Please contact COVIDemail@example.com if we can answer any questions about the requirements of the HIPAA Privacy and Security Rules or to assist you in securing your information system from cybersecurity incidents.