On March 20, 2020, the Office for Civil Rights (OCR) issued guidance in furtherance of its Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. OCR issued the guidance as frequently asked questions (FAQs) published by the Department of Health and Human Services (HHS). This guidance further explains how OCR will exercise its enforcement discretion related to the “good faith provision of telehealth” during the COVID-19 public health emergency period.
Per OCR, the Notification of Enforcement Discretion (the Notification) applies to all covered health care providers (as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act). HIPAA defines “health care provider” as “a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” The Health Resources and Services Administration (HRSA) of HHS defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.”
Services covered under the Notification include “all services that a covered health care provider, in their professional judgment, believes can be provided through telehealth in the given circumstances of the current emergency,” regardless of whether the services relate to COVID-19. Providers are “encouraged” to use HIPAA-compliant vendors in furtherance of transmitting telehealth services, “but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible.” OCR expects providers to engage in telehealth services from private settings, with patients in similarly private settings. Where “exigent circumstances” exist, providers may engage in telehealth services with patients in public or semi-public settings. In such instances, OCR expects providers to limit incidental uses and disclosures of protected health information by “using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others.”
The FAQs include a list of activities which may constitute the “bad faith provision of telehealth services,” and are therefore outside the scope of the Notification:
- Conduct in furtherance of criminal activity;
- Further uses or disclosures prohibited by the HIPAA Privacy Rule (including the “sale of the data, or use of the data for marketing without authorization”);
- “Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth”; and
- The use of public-facing remote communication products (as further described in the Notification and the FAQs).
The Notification will expire upon notice issued by OCR.