Frequently Asked Questions about Telehealth and HIPAA during the COVID-19 emergency

The DHHS offers the following FAQs and answers regarding the use of telehealth services during the novel coronavirus health pandemic.

What are telehealth services?

The DHHS’ Health Resources and Service Administration (HRSA) defines telehealth as using electronic IT to aid and “promote:

• Long-distance clinical healthcare
• Health-related education for patients and professionals
• Health administration
• Public health”

Sample telehealth technologies include using the Internet, videoconferences, store-and-forward imaging, media streaming, and “landline and wireless communication.”

Health providers can deliver telehealth services in different ways including:

• Audio
• Text messaging
• Video communications

Some payors such as Medicaid and Medicare may have restrictions on which technical platforms can be used. DHHS states that the restrictions don’t restrict “Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency.”

Which entities are included under the OCR Notification of Enforcement Discretion for COVID-19 and remote telehealth communications? Which entities are excluded?

Included. The OCR Notification of Enforcement Discretion applies to all healthcare providers (such as most doctors and physicians) coved by HIPAA who offer telemedicine services during any emergency such as the COVID-19 outbreak.

Not included. The OCR Notification does not cover health insurance companies that pay for the telemedicine services.

HIPAA defines “healthcare providers” as “a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for healthcare in the normal course of business.” Examples of health providers are:

• Doctors
• Hospitals
• Nurses
• Clinics
• Home health aides
• Mental health professionals
• Dentists
• Therapists such as physical and occupational therapists
• Laboratories
• Any entity or person that provides healthcare

Healthcare providers are “HIPAA covered entities” if the health provider sends “any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard (e.g., billing insurance electronically).” 45 CFR 160.103.

Health insurance companies that just pay for the telehealth services are not covered by the notice – because health insurance companies don’t provide healthcare.

Are there any limits on which patients a HIPAA covered healthcare provider can treat – under the OCR’s enforcement discretion notice? For example, can Medicaid and Medicare patients be treated?

There are no limitations on the patients, including Medicaid and Medicare patients that can be treated remotely by covered healthcare providers.

Which HIPAA rules are included in the OCR Enforcement Discretion Notice?

The Notice provides that healthcare providers covered by HIPAA won’t be “subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

The Notice doesn’t address HIPAA compliance when healthcare is offered other than through emergency telehealth services.

How does the Notification of Enforcement Discretion (for using remote telehealth services during the COVID-19 emergency) affect “violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?”

The Notification only applies to enforcing HIPAA rules. For information on substance abuse issues, the Substance Abuse and Mental Health Services Administration (SAMHSA) has announced similar guidance which can be reviewed at their website. Many other agencies such as the FTC and FDA are also announcing COVID-19 guidance policies.

Is there an expiration date for the OCR enforcement discretion notice “regarding COVID-19 and remote telehealth communications?”

There is no expiration date. OCR will issue a public notice when the OCR is not exercising its enforcement discretion – based on how the COVID-19 emergency develops.

“Where can healthcare providers conduct telehealth?”

The DHHS Office of Civil Rights anticipates that healthcare providers will offer telehealth services in private situations such as their office or a clinic. The patient will likely be in their home or at a different clinic. OCR advises that healthcare providers should use private settings. Patients should also receive the benefits of the remote healthcare services in private settings unless there are emergency conditions.

If the telehealth services can’t be done in a private setting, the healthcare provider should still implement reasonable HIPAA procedures such as speaking in a low voice, not using the speakerphone, and suggesting to the patient that he/she move away from others who might hear any protected health information.

What types of medical services can be provided during while the OCR is exercising enforcement discretion during the COVID-19 public health emergency?

Generally, every type of service that the healthcare providers, using their professional judgement, think can be provided. Examples include the “diagnosis or treatment of COVID-19 related conditions, such as taking a patient’s temperature or other vitals remotely, and diagnosis or treatment of non-COVID-19 related conditions, such as review of physical therapy practices, mental health counseling, or adjustment of prescriptions, among many others.”

Which actions would the OCR consider to be “bad faith” and would not be covered by the COVID-19 and remote telehealth communication discretion notice?

The OCR will review all relevant facts and circumstances in determining whether the healthcare provided used telemedicine in good faith or bad faith. A few examples of bad faith conduct which would not be protected, and could result in compliance enforcement include:

• Criminal acts. This includes an acts of fraud, stealing someone’s identity, and deliberately invading someone’s privacy
• Using or disclosing patient data (obtained while in a telehealth session) that are forbidden under the HIPAA Privacy Rule such as selling the data or using the information for the healthcare provider’s marketing efforts – without authorization from the patient
• Violating any professional ethical standards or the licensing laws of any state – if the violation results in disciplinary actions regarding the treatments provided during the telemedicine sessions – provided there are documented findings by the respective boards or licensing entities.
• The use of “public-facing remote communication products” Is not allowed. Examples of public-facing products include “TikTok, Facebook Live, Twitch, or a chat room like Slack,”

“which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.”

How are “Non-public facing” remote communication products defined?

A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication.

Examples of non-public facing remote communication video devices/software include:

• Facebook Messenger video chat
• Apple FaceTime
• Google Hangouts video
• Skype
• WhatsApp video chat

Texting applications include:

• Jabber
• Signal
• Facebook Messenger
• Google Hangouts
• iMessage
• WhatsApp

The platforms usually allow for encryption so that only the sender and receiver of the health information are able to see/read what’s being sent. The platforms generally also have logins and password to help verify who is using the app. Other options that the sender and receiver may be able to use, depending on the platform, include the ability to record the communication/telehealth session or to turn off the video or audio signal at any time during the session.

Public-facing products are designed for public use and are not acceptable to the OCR. For example, a doctor who uses Facebook Live to “stream a presentation” (such as general advice on COVID-19) to all his/her patients – is not using a reasonably private transmission method. Public-facing telehealth is not protected by the OCR Notification because only the physician should only be communicating with one patient a time.

What will the OCR do if – even though the healthcare provider uses telehealth services during the COVID-19 crisis – an electronic PHI is “intercepted during transmission”? Will the healthcare provider be assessed a penalty for “violating the HIPAA Security Rule?”

OCR, using its enforcement discretion, will not pursue/enforce penalties for breaches, provided the breach was due to good faith exercise of telehealth services during this public health emergency. Whether actions are in good faith depends on the facts and circumstances.

An example of good faith exercise of telemedicine during this crisis is when a provider complies with the Notification terms and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA). In this scenario, the healthcare provider will not be subject to HIPAA penalties if PHI is “hacked” during the telehealth meeting.

Generally, OCR anticipates that many of the remote electronic communication software products will have suitable security features designed to protect electronic protected healthcare information. OCR also understands that video communication vendors (who understand the HIPAA Security rule) will have even tougher security measures built into their products “to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA).”

OCR recommends that healthcare providers who wish to consult with their patients through these remote products use vendors who build HIPAA security protocols into their software and devices. Still, OCR states the OCR won’t penalize healthcare providers who use less secure products to deliver telehealth services during this public health emergency period.

OCR does recommend that healthcare providers notify patients that communicating remotely does have risks. Providers should seek to use encryption and privacy services while communicating with their patients.

OCR doesn’t endorse any specific telehealth products. The OCR just indicates the general guidance principals for use – including which products should be acceptable and which products are not acceptable because the telehealth product is public.

As the rules and regulations change, during the COVID-19 emergency, to balance the rights of patients with the need to protect everyone who treats patients who have or might have COVID-19 or patients who have other medical needs, health providers will need to keep current with the changes. An experienced healthcare lawyer can help explain the new rules and regulations to doctors and other healthcare providers.

Contact the Cohen Healthcare Law Group for legal counsel on the rapidly changing COVID-19 rules and regulation landscape. Our experienced healthcare attorneys are working to keep abreast of the new rules and regulations and how the rules impact the ability of physicians and other healthcare providers to provide medical services to their patients.