September 22, 2020

Volume X, Number 266

September 22, 2020

Subscribe to Latest Legal News and Analysis

September 21, 2020

Subscribe to Latest Legal News and Analysis

COVID-19: HHS Issues FAQs on HIPAA and Telehealth to Help Providers Maintain Access to Care During the Pandemic

On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 pandemic.  HHS has emphasized, however, that the Notification does not allow the use of public-facing communications products, such as Facebook live or other livestreaming applications.

In the FAQs, HHS first provides an important reminder that while the term telehealth refers to the “use of electronic information and telecommunications technologies” for remote health care and patient education, certain payors – including Medicare – place restrictions on the types of technologies that can be used in order for the services to be reimbursed.  HHS notes that such restrictions do not limit the scope of the Notification.

HHS then provides the following additional information on the Notification and telehealth generally:

  • The Notification applies to all health care providers that are covered by HIPAA and provide telehealth services during the COVID-19 emergency, with no limitations on the patients served via telehealth;

  • The Notification applies to all services that a provider believes, in his or her professional judgment, can be provided via telehealth under the circumstances of the emergency;

  • The Notification does not apply to health insurance companies that just pay for telehealth services;

  • The Notification applies to HIPAA’s Security Rule, Privacy Rule, and Breach Notification Rule regulations;

  • The Notification does not apply to substance use disorder records or communications covered by 42 C.F.R. Part 2;

  • The Notification does not have an expiration date;

  • Health care providers are expected to conduct telehealth services in private settings, and providers should implement reasonable safeguards to limit incidental uses or disclosures of protected health information;

  • The Notification applies only to the “good faith” provision of telehealth services, which HHS assesses via a facts and circumstances test, and examples of what would not qualify as good faith include the provision of telehealth services in furtherance of a criminal scheme, or to violate state licensure law, or the use of public-facing communications products such as Facebook live; and

  • Non-public facing remote communication products can include FaceTime, Skype, Facebook messenger video, Whatsapp video chat, or Google hangouts video, but do not include livestreaming products.

HHS concluded the FAQs by stating that if a provider uses telehealth services during the COVID-19 pandemic and protected health information is intercepted during transmission, HHS will not pursue otherwise applicable penalties for any such breach.

Notably, in furtherance of the government’s efforts to promote the use of telehealth services to combat the COVID-19 pandemic, on March 23 HHS’s Centers for Medicare and Medicaid Services issued telehealth toolkits for providers available here (for general practitioners) and here (for ESRD providers).

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 83


About this Author

Conor Duffy Cybersecurity Attorney

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.


Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...

Melissa Lisa Thompson Healthcare Lawyer Robinson Cole Law Firm

Lisa Thompson advises companies, senior management, and their boards of directors, with a focus on the health care, life sciences and technology industries. She is a member of the firm’s Health Law Group and Data Privacy + Cybersecurity Team.  She is also an arbitrator on the Commercial panel and the Health Care panel of the American Arbitration Association.  

Health Care, Life Science and Technology Industries

Lisa represents domestic and international clients in the health care, life science and technology industries, including pharmaceutical companies, medical device manufacturers, biotechnology companies, hospital systems, academic medical centers, health information exchanges (HIEs) and technology services providers.  In addition, she has represented third party administrators, pharmacy benefit managers, health plans, laboratories, physician practices, pharmacies and retail pharmacy chains, among others in these industries.

Lisa handles a range of matters, including corporate law and contracting, government investigations and audits, clinical research law, and matters involving Institutional Review Boards (IRBs). She has extensive experience representing clients on matters involving privacy and security including HIPAA, reimbursement, Medicare and Medicaid, state and federal surveys and termination actions, managed care disputes, pharmacy and compounding laws, fraud and abuse, Stark Law, anti-kickback, and federal program exclusions.

Lisa’s life sciences experience includes U.S. Food and Drug Administration (FDA) compliance and regulatory matters, product recalls and liability claims, FDA citizen petitions and appeals, labeling review, advertising and marketing compliance, drug and medical device reimbursement, clinical research agreements, Sunshine Act compliance, and commercial contracting. Her technology sector experience includes advising on privacy and security, software licensing, data use agreements, information exchange system agreements, and regulatory requirements.

She formerly served in-house as chief counsel for an international medical device manufacturer, as general counsel for a pharmacy benefit management company, and as corporate, privacy, and research counsel for a major academic medical center. She is a co-editor and contributor for the firm’s blog, Health Law Diagnosis.