1. What is telehealth?

The Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. Technologies include videoconferencing, the internet, store- and-forward imaging, streaming media, and landline and wireless communications.

Telehealth services may be provided, for example, through audio, text messaging, or video communication technology, including video conferencing software. For purposes of reimbursement, certain payors, including Medicare and Medicaid, may impose restrictions on the types of technologies that can be used.1 Those restrictions do not limit the scope of the HIPAA Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications.

1 Medicare pays for many different services that involve use of these types of communications technologies. A fact sheet regarding Medicare payment and coverage is available at: https://www.cms.gov/files/document/03052020- medicare-covid-19-fact-sheet.pdf – PDF. Telehealth services paid by Medicare are the services defined in section 1834(m) of the Social Security Act that would otherwise be furnished in person but are instead furnished via realtime, interactive communication technology.

2. What entities are included and excluded under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

The Notification of Enforcement Discretion issued by the HHS Office for Civil Rights (OCR) applies to all health care providers that are covered by HIPAA and provide telehealth services during the emergency. A health insurance company that pays for telehealth services is not covered by the Notification of Enforcement Discretion.

Under the Health Insurance Portability and Accountability Act (HIPAA), a “health care provider” is a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health care providers include, for example, physicians, nurses, clinics, hospitals, home health aides, therapists, other mental health professionals, dentists, pharmacists, laboratories, and any other person or entity that provides health care. A “health care provider” is a covered entity under HIPAA if it transmits any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard (e.g., billing insurance electronically). See 45 CFR 160.103 (definitions of health care provider, health care, and covered entity).

By contrast, a health insurance company that merely pays for telehealth services would not be covered by the Notification of Enforcement Discretion because it is not engaged in the provision of health care.

3. What patients can a covered health care provider treat under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications and does it include Medicare and Medicaid patients?

This Notification applies to all HIPAA-covered health care providers, with no limitation on the patients they serve with telehealth, including those patients that receive Medicare or Medicaid benefits, and those that do not.

Information specifically about telehealth and Medicare is available at https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet and https://edit.cms.gov/files/document/medicare-telehealth-frequently-asked-questions-faqs-31720.pdf – PDF.

4. Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.

5. Does the Notification of Enforcement Discretion regarding COVID- 19 and remote telehealth communications apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?

No, the Notification addresses the enforcement only of the HIPAA Rules. The Substance Abuse and Mental Health Services Administration (SAMHSA) has issued similar guidance on COVID-19 and 42 CFR Part 2, which is available at: https://www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2- guidance-03192020.pdf.

6. When does the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications expire?

The Notification of Enforcement Discretion does not have an expiration date. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.

7. Where can health care providers conduct telehealth?

OCR expects health care providers will ordinarily conduct telehealth in private settings, such as a doctor in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances.

If telehealth cannot be provided in a private setting, covered health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI). Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.

8. What telehealth services are covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency are covered by this Notification. This includes diagnosis or treatment of COVID-19 related conditions, such as taking a patient’s temperature or other vitals remotely, and diagnosis or treatment of non-COVID-19 related conditions, such as review of physical therapy practices, mental health counseling, or adjustment of prescriptions, among many others.

What may constitute bad faith in the provision of telehealth by a covered health care provider, which would not be covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

OCR would consider all facts and circumstances when determining whether a health care provider’s use of telehealth services is provided in good faith and thereby covered by the Notice. Some examples of what OCR may consider a bad faith provision of telehealth services that is not covered by this Notice include:

• Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
• Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
• Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e.,based on documented findings of a health care licensing or professional ethics board); or
• Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a public chat room, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.

9. What is a “non-public facing” remote communication product?

A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication.

Non-public facing remote communication products would include, for example, platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Such products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants. In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point.

In contrast, public-facing products such as TikTok, Facebook Live, Twitch, or a public chat room are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication. For example, a provider  that uses Facebook Live to stream a presentation made available to all its patients about the risks of COVID-19 would not be considered reasonably private provision of telehealth services. A provider that chooses to host such a public-facing presentation would not be covered by the Notification and should not identify patients or offer individualized patient advice in such a livestream.

10. If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?

No. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services. For example, if a provider follows the terms of the Notification and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA), it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.

OCR believes that many current and commonly available remote electronic communication products include security features to protect ePHI transmitted between health care providers and patients. In addition, video communication vendors familiar with the requirements of the Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA). Providers seeking to use video communication products are encouraged to use such vendors, but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency.

Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

OCR does not endorse the use of or the security capabilities of any particular communications product.

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.

This information was sourced from HIPAA FAQs for Professionals.

1. What is a covered entity’s liability under the HIPAA Privacy Rule for sharing data inappropriately to or through a health information organization (HIO) or other electronic health information exchange network?

A covered entity that exchanges protected health information (PHI) to or through a HIO or otherwise participates in electronic health information exchange is responsible for its own non-compliance with the Privacy Rule, and for violations by its workforce. A covered entity is not directly liable for a violation of the Privacy Rule by a HIO acting as its business associate, if an appropriate business associate agreement is in place. Nor can a HIO as a business associate be held liable for civil money penalties arising from violations of the Privacy Rule. Rather, where a business associate agreement exists between a covered entity and a HIO for the electronic exchange of PHI, the HIO will be contractually obligated to adequately safeguard the PHI and to report noncompliance with the agreement terms to the covered entity, and the covered entity will be held accountable for taking appropriate action to cure known noncompliance by the business associate, and if unable to do so, to terminate the business associate relationship. See 45 C.F.R. §§ 164.502(e), 164.504(e). Furthermore, a covered entity is not liable for a disclosure that is based on the non-compliance of another entity within the health information exchange, as long as the covered entity has complied with the Privacy Rule. See the original answer on hhs.gov here.

2. Does the HIPAA Privacy Rule require a covered entity to “police” a health information organization (HIO), which functions as its business associate?

No. As with other business associates, the Privacy Rule would require that a covered entity enter into a relationship with a HIO in a way which anticipates and reasonably safeguards against the potential for inappropriate uses and disclosures, specifically through the use of a business associate agreement. The Privacy Rule also would require the covered entity to respond appropriately to complaints and evidence of violations, but it would not otherwise require the covered entity to actively monitor or oversee the extent to which a HIO, acting as its business associate, abides by the privacy provisions of the agreement, or the means by which the HIO carries out its privacy safeguard obligations. See 45 C.F.R. §§ 164.502(e), 164.504(e). See the original answer on hhs.gov here.

3. How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:

• investigation of any complaint received, as well as of other information containing credible evidence of a violation;
• reasonable steps to cure/end any material breaches or violations it becomes aware of;
• termination of the agreement where attempts to cure a material breach are unsuccessful; and
• in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e)

See the original answer on hhs.gov here.

4. Who is liable under the HIPAA Privacy Rule where multiple covered entities have signed on to a single business associate agreement and one member breaches the agreement?

The Privacy Rule is flexible enough to allow multiple covered entities to exchange information with each other in an electronically networked environment upon entering into a single, multi-party business associate agreement. Regardless of the number of signatories, the obligations in a multi-party business associate agreement will be largely bi-directional. Covered entities will still be accountable for the actions of their workforce, as well as the contents and enforcement of its business associate agreement with the health information organization (HIO). See 45 C.F.R. §§ 164.530(b),(e) and 164.504(e). Covered entities will not be liable, however, for the violations of other participants in the HIO’s health information exchange. See the original answer on hhs.gov here.

The information presented in our library is for informational purposes only, they are not for implementation in operations. Please consult official HIPAA guidance documents for operational use.

This information was sourced from HIPAA FAQs for Professionals.