Home > Alerts > HHS Announces HIPAA Regulatory Requirements Eased During COVID-19 Emergency

HHS Announces HIPAA Regulatory Requirements Eased During COVID-19 Emergency

Posted: 03/19/2020
Services: Cybersecurity and Privacy
Industries: Health Care | HIPAA / Health Information Privacy and Security

On March 17, 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced it is temporarily easing enforcement of certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  During the novel coronavirus disease (COVID-19) national emergency, covered health care providers subject to the HIPAA Privacy, Security, and Breach Notification Rules (collectively, the “HIPAA Rules”) may communicate with patients, and provide telehealth services, through remote communication technologies that may not fully comply with the requirements of the HIPAA Rules.  

OCR’s announcement stated, “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”  This HIPAA decision follows the March 17, 2020 announcement from the Centers for Medicare and Medicaid Services expanding telehealth benefits for Medicare Beneficiaries.

The relaxation with respect to the HIPAA Rules for using telehealth is effective immediately and provides that a covered health care provider may use popular audio or video communication technology to provide telehealth services to patients, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.  The technologies include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype.

OCR’s announcement stated that health care providers who desire additional privacy protections for telehealth should provide those services through technology vendors that represent they provide HIPAA-compliant video communication products and who will enter into a HIPAA Business Associate Agreement.  OCR provided the following list of vendors that meet this criteria:

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet

OCR cautioned however, that health care providers should not use Facebook Live, Twitch, TikTok or similar video communication applications that are public facing to provide telehealth services.

While the COVID-19 pandemic continues and social isolation measures are implemented, health care providers now have an expanded ability to use telehealth services in order to continue to provide medically necessary services to their patients.

Saul Ewing Arnstein & Lehr’s lawyers regularly assist health care providers in implementing telehealth and complying with HIPAA regulations.  For questions about how this guidance affects your practice or company, please reach out to the authors of this article.

Download Document