September 30, 2022

Volume XII, Number 273


September 29, 2022

Subscribe to Latest Legal News and Analysis

September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 pandemic.  HHS has emphasized, however, that the Notification does not allow the use of public-facing communications products, such as Facebook live or other livestreaming applications.

In the FAQs, HHS first provides an important reminder that while the term telehealth refers to the “use of electronic information and telecommunications technologies” for remote health care and patient education, certain payors – including Medicare – place restrictions on the types of technologies that can be used in order for the services to be reimbursed.  HHS notes that such restrictions do not limit the scope of the Notification.

HHS then provides the following additional information on the Notification and telehealth generally:

  • The Notification applies to all health care providers that are covered by HIPAA and provide telehealth services during the COVID-19 emergency, with no limitations on the patients served via telehealth;

  • The Notification applies to all services that a provider believes, in his or her professional judgment, can be provided via telehealth under the circumstances of the emergency;

  • The Notification does not apply to health insurance companies that just pay for telehealth services;

  • The Notification applies to HIPAA’s Security Rule, Privacy Rule, and Breach Notification Rule regulations;

  • The Notification does not apply to substance use disorder records or communications covered by 42 C.F.R. Part 2;

  • The Notification does not have an expiration date;

  • Health care providers are expected to conduct telehealth services in private settings, and providers should implement reasonable safeguards to limit incidental uses or disclosures of protected health information;

  • The Notification applies only to the “good faith” provision of telehealth services, which HHS assesses via a facts and circumstances test, and examples of what would not qualify as good faith include the provision of telehealth services in furtherance of a criminal scheme, or to violate state licensure law, or the use of public-facing communications products such as Facebook live; and

  • Non-public facing remote communication products can include FaceTime, Skype, Facebook messenger video, Whatsapp video chat, or Google hangouts video, but do not include livestreaming products.

HHS concluded the FAQs by stating that if a provider uses telehealth services during the COVID-19 pandemic and protected health information is intercepted during transmission, HHS will not pursue otherwise applicable penalties for any such breach.

Notably, in furtherance of the government’s efforts to promote the use of telehealth services to combat the COVID-19 pandemic, on March 23 HHS’s Centers for Medicare and Medicaid Services issued telehealth toolkits for providers available here (for general practitioners) and here (for ESRD providers).

Copyright © 2022 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 83

About this Author

Conor Duffy Cybersecurity Attorney

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.


Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...

Melissa Lisa Thompson Healthcare Lawyer Robinson Cole Law Firm

Lisa Thompson advises companies, senior management, and their boards of directors, with a focus on the health care, life sciences and technology industries. She is a member of the firm’s Health Law Group and Data Privacy + Cybersecurity Team.  She is also an arbitrator on the Commercial panel and the Health Care panel of the American Arbitration Association.  

Health Care, Life Science and Technology Industries

Lisa represents domestic and international clients in the health care, life science and technology industries, including pharmaceutical companies,...