HHS Office for Civil Rights Issues Telehealth HIPAA Guidance during COVID-19 Emergency

On March 17, 2020, the Office for Civil Rights (“OCR”), the agency within the Department of the United States Health & Human Services (“HHS”) responsible for enforcement of HIPAA, issued the following guidance: “Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency.” Pursuant to Telehealth regulatory waivers issued by the HHS Centers for Medicare & Medicaid Services (“CMS”) effective during the COVID-19 Public Health Emergency (“PHE”), providers can use telehealth at any location including in a patient’s home. As more fully explained in its Telehealth Fact Sheet March 17, 2020, HHS stated:

“The provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. …  It is imperative during this public health emergency that patients avoid travel, when possible, to physicians’ offices, clinics, hospitals, or other health care facilities where they could risk their own or others’ exposure to further illness.”

It goes without saying that most patients will not have HIPAA-compliant video and audio technology available within their own homes to communicate with a provider. The waiver of the telehealth requirement during the COVID-19 PHE that otherwise would have required the patient to travel to a HIPAA-compliant “originating site” for a telehealth consultation would be useless in the absence of a HIPAA waiver. In recognition of this, the CMS Telehealth Fact Sheet explicitly states that Facebook and Skype telecommunications fall within the video and audio technology that can be used under the HIPAA waiver. The OCR Telehealth Guidance takes this further, stating:

“Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. “

See the CMS Telehealth PHE Fact Sheet and OCR Telehealth PHE Guidance for additional information.