Throughout the COVID-19 pandemic, federal agencies have sought to allow health care companies more flexibility to use popular technology and applications to better engage with their patients. One example is the Department of Health and Human Services’ Office of Civil Rights (OCR), which issued a notice that it will allow health care providers to use widely-available communications software without fear of violating HIPAA, even if the software does not meet the HIPAA privacy and security requirements. This enforcement discretion allows a covered entity to deliver care via “non-public facing” audio or video communication technology.
OCR has provided a set of Frequently Asked Questions on Telemedicine and HIPAA Waivers, offering helpful guidance and clarification. For example:
11. If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?
No. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services. For example, if a provider follows the terms of the Notification and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA), it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.
OCR believes that many current and commonly available remote electronic communication products include security features to protect ePHI transmitted between health care providers and patients. In addition, video communication vendors familiar with the requirements of the Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA). Providers seeking to use video communication products are encouraged to use such vendors, but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. OCR does not endorse the use of or the security capabilities of any particular communications product.
This means companies may use popular applications (e.g., Apple FaceTime, Facebook Messenger, Google Hangouts, Zoom, Skype) that allow for video chats but which might not fully comply with HIPAA requirements. The term “non-public facing” means the application, by default, only allows the intended parties to participate in the communication. In contrast, “public-facing” products (e.g., TikTok, Facebook Live, Twitch) or public video chat rooms would not be acceptable forms of communication for telemedicine services.
This Notice of Enforcement Discretion will remain in effect until the Public Health Emergency expires. Even with the current relaxation of enforcement by OCR, it is widely-accepted that best practices in telemedicine are to use a software communications platform that meets the HIPAA privacy and security requirements. Companies currently using non-HIPAA communications software during the Public Health Emergency should develop plans on how to migrate over to a compliant solution before the waivers expire.