On March 17, 2020, OCR issued guidance indicating that it would exercise enforcement discretion and waive penalties for entities that provide services to individuals using “everyday communication technologies.”
On March 20, 2020, OCR provided additional more detailed guidance on telehealth services applicable to all health care providers covered by HIPAA who provide telehealth services during the COVID -19 public health emergency.
OCR defines “telehealth” as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration” (relying on the definition used by the Health Resources and Service Administration of DHHS). Telehealth may be provided through audio, text messaging, or video conferencing. This guidance does not apply to other covered entities, such as insurance companies, that may pay for telehealth services.
OCR has indicated that it will not subject health care provider covered entities to penalties for violations of the HIPAA privacy, security, and breach notification rules that occur during the good faith provision of telehealth services during the public health emergency. All services considered by the provider to be appropriate for telehealth are covered by this guidance.
OCR provided examples of what would be considered bad faith use of telehealth, such as:
- Conduct or furtherance of a criminal act,. such as fraud, identity theft, and intentional invasion of privacy;
- Any use or disclosure of PHI prohibited by HIPAA, sale of the data, or use of the data for marketing without an authorization)
- Any use of telehealth which violates state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board); or
- Use of any form of remote communication identified by OCR as unacceptable, such as Facebook Live, Twitch, or a chat room like Slack.
OCR recommends that telehealth be conducted in private settings with use telehealth in public settings only in exigent circumstances. In all cases, providers should continue to implement HIPAA safeguards and take whatever steps are reasonable to keep the telehealth sessions confidential.
Telehealth providers must still comply with state licensure and scope of practice laws.
Disclosure to First Responders
On March 24, 2020, OCR issued guidance describing the circumstances under which covered entities may disclose PHI about an individual who has been infected or exposed to COVID-19 to law enforcement, paramedics, other first responders and public health authorities. A covered entity may make such disclosures in the following circumstances:
- when necessary for treatment;
- when required by law;
- when first responders may be at risk of infection; or
- when necessary to lessen a serious threat or imminent threat to public.
Covered entities are expected to provide the minimum necessary information to first responders except in cases of treatment or where required by law.