By Cindy Amedee
Partner, Taylor Porter Health Care Practice
In a recent Notification of Enforcement Discretion (Notice) issued by the Office for Civil Rights (OCR), OCR exercised its discretion to relax its enforcement of the HIPAA privacy and security rules pertaining to telehealth visits during the COVID-19 pandemic. OCR recognized that during this time, health care providers and patients may need or elect to communicate by audio or video using technology that may not fully comply with HIPAA regulations.
Typically, a provider must thoroughly vet the security of any technology it uses to ensure it meets the standards set forth in the HIPAA rules and guidance. A failure to ensure the security of technology may rise to the level of noncompliance with the regulations and lead to sanctions or penalties. In light of our current coronavirus public health emergency, however, OCR has elected not to impose penalties for HIPAA noncompliance in connection with the “good faith provision of telehealth using non-public audio and video technology communication products.” The Notice is clear that relaxation of enforcement does not extend to use of public audio and video applications, such as Facebook Live, TikTok and other public types of technology.
According to the Notice, health care providers are free to use many types of popular non-public applications, such as FaceTime, Facebook Messenger, Google Hangouts, Zoom, and other similar technologies. For health care providers who want additional privacy and security assurance, OCR provided a list of some third-party vendors who provide HIPAA-compliant video communications. The list includes the following:
Note that OCR does not endorse or certify any of the foregoing, and it acknowledges that there may be other vendors that provide HIPAA-compliant telehealth technology. No matter which technology is used, OCR encourages health care providers to explain to patients that privacy risks are possible, and providers should enable all encryption and privacy settings for the application.
Under normal circumstances, HIPAA mandates that health care providers enter into Business Associate Agreements with its third-party technology vendors. According to the Notice, however, OCR will not impose penalties if a Business Associate Agreement is not obtained where services relate to the good faith provision of telehealth services during the COVID-19 pandemic.
The Taylor Porter Health Care Practice Group continues to monitor the fluid and increasing obstacles confronting the health care system amidst COVID-19, and its unprecedented burden on providers. We will continue to alert you of these updates and post any news and legal developments to our Coronavirus Legal Blog and Resources section of our website.
About Cindy Amedee: Taylor Porter Partner Cindy Amedee represents health care clients in a wide variety of matters, including health care transactions, mergers and acquisitions, federal and state health care compliance and regulation, HIPAA, hospital system vendor relationships and purchasing transactions, as well as representing clients on health information technology issues, with an emphasis on the privacy and security of electronic medical records and the exchange of patient health information via technology systems. Cindy is a published author and has lectured on several topics, including HIPAA regulations and the Affordable Care Act’s impact on employers. She frequently conducts HIPAA trainings for clients.
This website is for general information purposes only. Information posted is not intended to be legal advice. For more information, please see our Disclaimer message.
8th Floor • 450 Laurel Street • Baton Rouge, LA 70801 • 225-387-3221