By Jorge Tormes, Esq.
JTG Consulting Group, LLC
April 15, 2020
In an effort to facilitate the expansion of telehealth services during the COVID-19 Nationwide Public Health Emergency, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has issued a “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency” (Notice of Enforcement Discretion).
A copy of the Notice of Enforcement Discretion can be found on the HHS website using the link below:
This article will summarize what this means and what your organization should know before using non-HIPAA compliant technology to provide telehealth services.
What is Enforcement Discretion?
A notification of enforcement discretion is not a change in law or regulation. All the privacy, security and notice requirements of HIPAA, and the corresponding regulations are still in effect. As the agency responsible for enforcing HIPAA Privacy, Security, and Breach Notification Rules, OCR is notifying the public and covered entities that they will use their “enforcement discretion” and not enforce certain rules for telehealth remote communications during the COVID-19 Nationwide Public Health Emergency.
This is similar to a prosecutor using her or his discretion to not prosecute minor drug crimes to avoid unnecessary incarceration during the COVID-19 Nationwide Public Health Emergency. While the underlying law is still in effect, the law is not being enforced or prosecuted. This is an important distinction to be aware of because you will be largely relying on the agency’s interpretation of what falls under its enforcement discretion guidance.
It is important to know that the Notice of Enforcement Discretion only applies to enforcement by the OCR at HHS. States may have their own laws and regulations regarding privacy, security, and notification around health information. Each state may still be enforcing their own laws. Further, in some states there may be private causes of action through tort theories if your use of unsecured technology leads to a breach of a patient’s private health information.
If your organization decides to expand its telehealth services using the guidance provided by the Notice you should follow the guidance as closely as possible and only deviate from the existing laws and regulations the minimum amount necessary to be able to meet the needs of your patients.
What Does the Notice of Enforcement Discretion Allow?
The Notice of Enforcement Discretion allows covered healthcare providers to use any non-public facing remote communication product to communicate with patients “in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.” Covered healthcare providers may use applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype to provide telehealth.
When using these applications, covered healthcare providers should notify patients of the potential privacy risks these third-party applications may potentially introduce. Further, covered healthcare providers should use all available privacy features such as encryption and privacy modes when using these third-party applications. Under the Notice of Enforcement Discretion “OCR will not impose penalties against covered health care providers for the lack of a [business associate agreement (BAA)] with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
When possible, covered healthcare providers should use video communication products through technology vendors that are HIPAA compliant and are willing to enter into a BAA. The Notice of Enforcement Discretion lists several vendors that claim to be HIPAA compliant and are willing to enter into a BAA.
The vendors listed include:
· Skype for Business / Microsoft Teams
· Zoom for Healthcare
· Google G Suite Hangouts Meet
· Cisco Webex Meetings / Webex Teams
· Amazon Chime
· Spruce Health Care Messenger
Public facing applications like Facebook Live, Twitch, TikTok, and similar applications are not allowed to be used under the Notice of Enforcement Discretion.
Other HIPAA Privacy and Security Rules
The Notice of Enforcement Discretion is a very limited exception to the enforcement of HIPAA Privacy and Security Rules. When providing telehealth services under Notice of Enforcement Discretion keep in mind that you are required to follow all of the other normal privacy and security rules while providing telehealth services. Your organization should take common sense steps to ensure patient’s privacy is maintained.
Below are some examples of things to keep in mind when providing telehealth services:
· When providing telehealth services make sure to always verify the identity of the person receiving the services.
· Make sure the patient receiving the telehealth service are alone or are consenting to have someone else present during telehealth service if they are not alone. Be mindful of possible coercion or domestic violence.
· When providing telehealth services from home, make sure you are in a secure private location, where family members and other individuals in your home cannot overhear or interrupt.
· If you have documents in your home that contain Protected Health Information (PHI), keep them in a locked and secure place when you are not using them.
· Log off any computer, device, or software program containing PHI when you are not using it.
Consult with Experts
Before expanding your organization’s telehealth services, you should consult with experts to ensure you remain in compliance and maintain your reputation. An attorney or compliance professionals can help ensure that you remain in compliance with both federal and state laws and regulations, and they can help you minimize your risk of liability. Further, if you decide to engage a vendor willing to sign a BAA an attorney can ensure the BAA complies with HIPAA requirements and adequately protects your organization.
An IT professional can help you choose the right audio video communication product and can instruct you on how to use its privacy and security features to protect your patients’ privacy. Even if you are using non-HIPAA compliant applications allowed under the Notice of Enforcement Discretion, an IT professional can show you how to use the application’s security features to the maximum extent possible. Although the OCR will not come after you if a third-party hacks into your telehealth consultation on a non-secure application, such a security breach can still hurt your reputation.
When possible, you should strive to meet all the HIPAA Privacy, Security, and Notice Rules even if it falls under the exception of the Notice of Enforcement Discretion. Remember that the Notice of Enforcement Discretion is only provides very narrow and temporary exceptions to the HIPAA rules around telehealth. If you are going through the effort of setting up or expanding your organization’s telehealth system, it would benefit your organization to set up a system that can endure past the COVID-19 Nationwide Public Health Emergency and become part of your enduring practice.
Knowledgeable consultants, like JTG Consulting Group, LLC, can help your organization set up or expand your HIPAA compliant telehealth system, while allowing your organization to continue focusing on its main mission of providing healthcare during this public health emergency.
This article is for informational purposes only. This does not constitute legal advice. You should consult with an experienced attorney prior to instituting any changes under the “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency”.
© 2020 JTG Consulting Group, LLC