OCR Allows Use of Videoconferencing During Coronavirus Emergency

March 17, 2020 David Holtzman

Healthcare providers may provide treatment services to patients using a variety of non-public facing telehealth technologies without complying with the requirements of the HIPAA Privacy and Security standards. The Office for Civil Rights (OCR) issued guidance that it will use its enforcement discretion to not impose penalties against healthcare providers who communicate with patients or use telehealth services that do not comply with the requirements of the HIPAA standards while the COVID-19 national emergency declaration remains in effect.

According to OCR, a healthcare provider who is a HIPAA covered entity that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR’s use of enforcement discretion applies to treatment services provided through telehealth for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

The guidance issued by OCR provides examples of popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to provide telehealth without risk that OCR may impose a penalty for failing to comply with the HIPAA Rules. However, the guidance specifically calls out applications Facebook Live, Twitch, TikTok, and similar video communication applications that are public facing that should not be used in the provision of telehealth by healthcare providers.

Providers are encouraged to notify patients that the use of third-party applications that are not HIPAA compliant potentially introduce privacy risks. Providers are advised to enable all available encryption and privacy modes when using such applications.

OCR’s use of its enforcement discretion allowing for use of common telehealth technologies leaves a number of unanswered questions. The agency specified that the enforcement discretion applies to healthcare providers that are covered entities. Business associates contracted to provide treatment services like physician groups, radiology consultants, and other managed service providers might be subject to sanctions for using videoconferencing applications that do not meet HIPAA’s security requirements. Healthcare organizations must also determine what state laws would preempt employing popular consumer video communication applications for telehealth treatment services. How are providers to add the telehealth encounters into the patients’ treatment records or to meet the Privacy Rule’s requirements to give patients’ access to copies of the recordings or physician notes from telehealth treatment sessions.

Information privacy and security teams will have to be especially vigilant against hackers who have wasted no time to exploit the coronavirus pandemic to attack healthcare organizations as well as patients looking for testing and treatment. We have seen examples of phishing attacks disguised as emails being sent to mimic announcements from the Centers of Disease Control (CDC). Another cybercriminal created a phony map to pinpoint coronavirus cases but actually inserted malware that would steal usernames, passwords, credit card information, and other sensitive data stored on the device. Healthcare organizations must carefully monitor traffic on their information networks and look into unusual activity that could represent an intruder scanning for sensitive data or exfiltration of files stored in the system.

Please contact COVID-19@cynergistek.com if we can answer any questions about the requirements of the HIPAA Privacy and Security Rules or to assist you in securing your information system from cybersecurity incidents.

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter More Content by David Holtzman
Previous Article
Some HIPAA Requirements Waived for Hospitals in Response to Coronavirus
Some HIPAA Requirements Waived for Hospitals in Response to Coronavirus

The Secretary of HHS has declared a nationwide public health emergency. The declaration includes a suspensi...

Next Article
NRC Health recovering from ransomware attack
NRC Health recovering from ransomware attack