HIPAA Notification of Enforcement Discretion During COVID-19 Emergency Ends

The US Department of Health and Human Services Office for Civil Rights announced on April 12, 2023 that the Notification of Enforcement Discretion – issued through HIPAA would end on May 11, 2023, when the COVID-19 public health emergency officially ends. HIPAA stands for the Health Insurance Portability and Accountability Act of 1966 (HIPAA).

Any entities covered by HIPAA were given 90 days to come into compliance with HIPAA’s privacy rule, security rule, and breach notification and enforcement rule. The HIPAA rules apply to telehealth services offered by health care providers. The 90-day transition ended on August 9, 2023. Healthcare providers who use telehealth services now need to fully comply with HIPAA. These healthcare providers should consult with experienced healthcare lawyers about the HIPAA rules and the ways to work towards compliance.

The Notification of Enforcement Discretion for Telehealth Remote Communications – During the COVID-19 Nationwide Public Health Emergency

The Office for Civil Rights (OCR) for the US Department of Health and Human Services (HHS) is the federal agency that is responsible for enforcing certain HIPAA regulations, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. These regulations protect the privacy and security of protected health information. The regulations are HIPAA’s Privacy, Security, and Breach Notification Rules (the HIPAA Rules).

During the COVID-19 pandemic, covered health providers who were subject to HIPAA Rules were granted permission to speak with patients through telehealth services – by means of remote communications technologies. Exceptions for bad faith actions may apply.

Some telehealth technologies and the ways the technologies are used by HIPAA-covered health care providers may not comply with all the HIPAA rules. The notification of enforcement discretion regulation provided that OCR:

“Will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.”

The Notification of Enforcement Discretion also provided that a covered healthcare provider that desired to use video and/or audio communication technology to provide patient telehealth services during COVID-19 could use “any non-public facing remote communication product that is available to communicate with patients.”

OCR’s discretion applied to telehealth for any reason – not just for the diagnosis and treatment of COVID-19 health conditions.

As an example, a covered healthcare provider could – in the exercise of their professional judgment – use a video chat application that connects to a patient’s phone or desktop computer – to discuss a patient’s COVID-19 symptoms. In this way, the health provider could review the health of more patients while reducing their risk of infecting other people – as would be more likely with in-person consultations.

As another example, a covered health care provider could provide similar telehealth services – in the exercise of their professional judgment – to patients who might require a dental consultation, a psychological evaluation, an examination of a sprained ankle, or other health conditions.

The OCR Notice provided that covered health care providers could use various software applications such as “Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype,” to provide telehealth services – without the risk that OCR might file a HIPAA Rules violation action. The Notice further encouraged covered health providers to inform patients that these technologies and telehealth services could have privacy risks. Providers were advised to “enable all available encryption and privacy modes when using such applications.”

The Notice provided that applications that are public facing should not be used for telehealth consultations by covered healthcare providers. Public-facing technology includes Facebook (now Meta) Live, TikTok, and Twitch.

The Notice of Enforcement Discretion added that covered healthcare providers should seek additional privacy protections for their telehealth services through technology vendors that are HIPAA compliant and who will enter into HIPAA business associate agreements. According to the OCR Notice, some of the vendors that claim they provide HIPAA-compliant video communication products and will into a HIPAA business association agreement are:

• Skype for Business / Microsoft Teams
• Updox
• VSee
• Zoom for Healthcare
• Doxy.me
• Google G Suite Hangouts Meet
• Cisco Webex Meetings / Webex Teams
• Amazon Chime
• GoToMeeting
• Spruce Health Care Messenger

Telehealth and business associates

According to the US Department of Health and Human Services, HIPAA’s privacy rule only applies to “covered entities” – certain health care providers, health plans, and healthcare clearinghouses. Usually, healthcare providers and health plans use the services of other people and businesses to carry out their telehealth needs. HIPAA’s Privacy Rule allows covered providers (and plans) to obtain

“Satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.”

Covered entities can disclose PHI to “business associates” – for the express purpose of carrying out their health care functions – and not for the independent use of the business associate – “except as needed for the proper management and administration of the business associate.”

The OCR does have guidance on how covered health care providers and health plans can use remote communication technologies for audio-only health  – to meet the “requirements of the HIPAA Privacy, Security, and Breach Notification Rules, including when OCR’s Notification of Enforcement Discretion for Telehealth – PDF is no longer in effect.”

The OCR still supports the use of telehealth services even though the discretionary period has ended.

HIPAA compliance issues for physicians now that the discretionary enforcement period has ended

With the ending of the discretionary period, health practices can still use telehealth services – but the health practices must be in compliance with HIPAA. The practices must also be compliant with any state patient information protection laws.

The HIPAA Journal recommends that healthcare providers:

• Perform a review to identify how their healthcare professionals communicate with patients and business associates.
• “Identify and analyze risks to the privacy of health information and the security of electronic transmissions.”
• Create and implement policies to reduce the dangers of violations and breaches and provide HIPAA education to the staff about these policies.
• Ensure that for each business associate and software vendor there is a compliant business associate agreement in place.
• “Implement verification procedures for first contacts and when access credentials are known to have been compromised.”
• Develop procedures for documenting patient consent – when the confidentiality of a remote consultation cannot be guaranteed.
• Document all remote patient encounters and security retained to meet the HIPAA document retention requirements.

The Centers for Medicare and Medicaid Services (CMS) also provide guidance for the use of telehealth services.

Telemedicine and HIPAA

Health care providers need to be in compliance with HIPAA’s Privacy and Security rules which protect patient health information and electronic patient health information respectively.

The Privacy Rule applies to remote and face-to-face health care. The Security Rule applies to most types of telehealth services and business associates of covered entities. Business associates generally provide telemedicine platforms and telehealth services which must be HIPAA compliant.

The HIPAA privacy Rule and Telehealth

One of the major issues with telehealth services is confirming the identity of the patient. Even when the patient’s identity is confirmed, confirming the privacy of the consultation can be difficult.

“Healthcare providers may need to obtain recorded consent to continue with the consultation when a translator, caregiver, or family member is present, or when the patient is in a public location where the consultation may be overheard.”

Another challenge is confirming the location of the healthcare provider. Providers may not always provide advice from their offices.

Still another HIPAA and telehealth challenge occurs when one healthcare provider refers a patient to another healthcare provider who is not under the control of the first healthcare provider.

In some cases, the telehealth conference will not be able to take place. In other cases, the conference may need to limit the use of PHI.

The HIPAA Security Rule and Telehealth

Generally, the HIPAA Security Rule requirements for telehealth are similar to other healthcare services.

HIPAA, according to the HIPAA Journal, has guidelines for:

• What to do if a software vendor refuses to enter into a business associate agreement
• Risk analysis on complex telemedicine frameworks
• Security risks at the patient’s end

Other HIPAA telehealth compliance issues you should review with experienced healthcare lawyers include:

• What transmissions are considered electronic? As mentioned above, audio-only telehealth services may not be subject to HIPAA’s security rule which requires that PHI transmissions be electronic.
• Who qualifies as a business associate and what compliance issues do business associates have?
• The telemedicine requirements for the state where the health practice is located
• The telemedicine requirements for the state where the patient is located
• Issues involving the prescribing of controlled substances and substance abuse disclosures

As technology evolves and CMS develops its own telehealth guidelines, there will be new HIPAA compliance issues that healthcare providers should review with experienced healthcare lawyers.

During the COVID-19 pandemic, The HHS Office for Civil Rights authorized the “discretionary” enforcement of HIPAA’s privacy, security, and breach notification rules to encourage remote healthcare conversations. The discretionary period ended as of August 9, 2023. Health care providers covered by HIPAA will now need to review whether their telehealth services comply with HIPAA. Healthcare providers should also review their business associate agreements to ensure the companies that provide telehealth services for the practices are HIPAA-compliant.

Physicians and medical practices should contact Cohen Healthcare Law Group, PC to discuss their HIPAA and telehealth services compliance issues. Our experienced healthcare attorneys advise physicians and medical practices about healthcare compliance laws and regulations.