Over the past few weeks, as the crisis around COVID-19 has escalated, the federal government has taken steps to empower medical providers to continue caring for patients, wherever they might be, in response to social distancing and self-quarantine directives. Specifically, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR), the agencies tasked with administration and enforcement of HIPAA regulations, have issued several bulletins which provide guidance to Covered Entities and Business Associates around maintaining patient privacy when using telemedicine practices to treat patients during the COVID-19 public health crisis.
Limited Waiver of HIPAA Penalties
According to the HHS’ notice and OCR’s guidance, the OCR will exercise its enforcement discretion and waive potential penalties for HIPAA violations against health care providers who have shifted to treating patients via on-line communications technologies during the COVID-19 crisis. This “hands off” approach will allow healthcare providers to readily convert in-person healthcare services to telehealth services without having to jump through regulatory hoops typically required by the HIPAA Rules.
Which technologies are acceptable?
Non-public facing, remote, on-line technology platforms that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom or Skype are considered acceptable. However, technologies such as Facebook Live, Twitch, TikTok, and similar public-facing video communication applications, should not be used in the provision of telehealth services by providers.
Is a Business Associate Agreement needed?
While OCR encouraged providers to use communication services through HIPAA-compliant technology vendors with business associate agreements (BAAs) in place, the OCR was clear that covered healthcare providers would not face penalties for failure to enter into a BAA with a video communication vendor during the COVID-19 crisis. However, the OCR clarified that the healthcare provider was still expected to act in good faith in the use of such technologies to provide telehealth services to patients. The OCR also shared a list of HIPAA compliant vendors, although did recognize that the list may be incomplete: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
Recommendations for protecting patient privacy:
OCR recommends that healthcare providers offering telehealth services through these communication platforms should continue to protect patient privacy by enabling all available encryption and privacy settings prior to using such applications, and notifying their patients that such third-party applications could potentially introduce unanticipated privacy risks as a result of using such communication tools.
For additional guidance:
Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency https://outsidegc.com/wp-content/uploads/2026/03/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
If you have any questions regarding the provision of telehealth services, the limited waiver of HIPAA requirements, or any other regulatory questions related to the provision of healthcare services during the COVID-19 crisis, please contact us.