HIPAA has not been suspended, despite grapevine rumors to the contrary, during the Public Health Emergency. The Office for Civil Rights announced a Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. The OCR announcement gave the provider community welcome news, tempered with cautions:
- Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype “could be” used for “Telehealth”
- Facebook Live, Twitch, TikTok, and similar public-facing video communication apps “should not” be used for Telehealth
- Patient notification “should be” provided indicating that third-party apps “potentially introduce privacy risks”, and providers should enable all available encryption and privacy modes when using these apps
- Enforcement discretion related to HIPAA non-compliance during the “good faith” provision of telehealth would be exercised during the COVID-19 nationwide public health emergency
OCR Director Roger Severino announced HIPAA enforcement discretion during the COVIE-19 PHE that:
Covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
Now that the PHE has been renewed for three (3) 90 days periods, it’s a good time for Therapy Providers to consider and transition to HIPAA compliant technologies for Telehealth to provide additional privacy protections through HIPAA compliant technology vendors that will enter into HIPAA business associate agreements (BAAs). OCR identified vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.
- Skype for Business / Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- Spruce Health Care Messenger
Are you providing “Telerehabilitation? Are patient notifications in place for use of non-HIPAA compliant video technologies? Have you implemented a HIPAA compliant solution including a BAA? Do you have Telerehabilitation Policies & Procedures?
(Note the OCR stated that is had not reviewed the BAAs offered by the above vendors, and the list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. The OCR also indicated that there may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity.)