December 2, 2021

Volume XI, Number 336

Advertisement
Advertisement

December 02, 2021

Subscribe to Latest Legal News and Analysis

December 01, 2021

Subscribe to Latest Legal News and Analysis

November 30, 2021

Subscribe to Latest Legal News and Analysis

November 29, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

FAQs on Telemedicine and HIPAA During the Public Health Emergency

Throughout the COVID-19 pandemic, federal agencies have sought to allow health care companies more flexibility to use popular technology and applications to better engage with their patients. One example is the Department of Health and Human Services’ Office of Civil Rights (OCR), which issued a notice that it will allow health care providers to use widely-available communications software without fear of violating HIPAA, even if the software does not meet the HIPAA privacy and security requirements. This enforcement discretion allows a covered entity to deliver care via “non-public facing” audio or video communication technology.

OCR has provided a set of Frequently Asked Questions on Telemedicine and HIPAA Waivers, offering helpful guidance and clarification. For example:

11. If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?

No. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services. For example, if a provider follows the terms of the Notification and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA), it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.

OCR believes that many current and commonly available remote electronic communication products include security features to protect ePHI transmitted between health care providers and patients. In addition, video communication vendors familiar with the requirements of the Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA). Providers seeking to use video communication products are encouraged to use such vendors, but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. OCR does not endorse the use of or the security capabilities of any particular communications product.

This means companies may use popular applications (e.g., Apple FaceTime, Facebook Messenger, Google Hangouts, Zoom, Skype) that allow for video chats but which might not fully comply with HIPAA requirements. The term “non-public facing” means the application, by default, only allows the intended parties to participate in the communication. In contrast, “public-facing” products (e.g., TikTok, Facebook Live, Twitch) or public video chat rooms would not be acceptable forms of communication for telemedicine services.

This Notice of Enforcement Discretion will remain in effect until the Public Health Emergency expires. Even with the current relaxation of enforcement by OCR, it is widely-accepted that best practices in telemedicine are to use a software communications platform that meets the HIPAA privacy and security requirements. Companies currently using non-HIPAA communications software during the Public Health Emergency should develop plans on how to migrate over to a compliant solution before the waivers expire.

© 2021 Foley & Lardner LLPNational Law Review, Volume XI, Number 88
Advertisement

About this Author

Nathaniel Lacktman, Health Care Attorney, Foley and Lardner Law Firm
Partner

Nathaniel (Nate) Lacktman is a partner and health care lawyer with Foley & Lardner LLP, and a Certified Compliance & Ethics Professional (CCEP). His practice focuses on health care compliance, counseling, enforcement and litigation, as well as telemedicine and telehealth. Mr. Lacktman is a member of the firm’s Health Care Industry Team which was named “Law Firm of the Year — Health Care Law” for three of the past four years on the U.S. News – Best Lawyers® “Best Law Firms” list. 

813-225-4127
Aaron T. Maguregui Health Care Attorney Foley & Lardner Tampa, FL
Special Counsel

Aaron Maguregui is a health care lawyer and member of the firm’s Privacy, Security & Information Management Practice, and national Telemedicine & Digital Health Industry Team. He advises innovative health care and technology companies to solve complex compliance, cybersecurity, data governance, data privacy, and risk management matters. Working with leading health care insurers, government-sponsored managed care organizations, health care providers, and technology companies, he delivers pragmatic legal advice and action-oriented solutions guidance to help clients reach their goals...

813-225-4129
Advertisement
Advertisement
Advertisement