The U.S. Department of Health and Human Services (“HHS”) has announced a plan of enforcement discretion regarding telehealth communications and testing sites during the COVID-19 Nationwide Public Health Emergency. As a result, HHS will not impose penalties for covered healthcare providers’ noncompliance with HIPAA in connection with the good faith provision of telehealth during the emergency. Roger Severino, Director of the HHS Office for Civil Rights (“OCR”), explained the decision was motivated by a desire to, “empower[..] medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
As a result, any covered healthcare provider may use any non-public facing remote communication product, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth to patients. Notably, Facebook Live, Twitch, TikTok, and similar video communication applications are considered by OCR to be public facing, and should not be used in the provision of telehealth.
HHS’s exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. Providers are encouraged, however, to enable all available encryption and privacy modes when using technology, as well as notify patients that the use of technology in the provision of telehealth potentially introduces privacy risks.
As an example, a provider could, in the exercise of professional judgement, utilize a cell phone video chat application to examine a patient exhibiting COVID-19 symptoms. This practice would permit the provider to evaluate a larger number of patients while also limiting the infection risk associated with in-person consultation. During the public health emergency, the provider could provide those same telehealth services to assess or treat medical conditions unrelated to COVID-19.
HHS has published a bulletin advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies.
In addition to its decision regarding telehealth, HHS has announced it will exercise enforcement discretion for violations committed by covered healthcare providers in their work with community-based testing sites during the emergency. As part of the overall effort to increase mobile testing sites across the country, Director Severino explained enforcement discretion in this area “supports these critical efforts to test and diagnose patients during this nationwide emergency."
Unlike the decision regarding telehealth, OCR’s position on mobile testing sites applies only to certain health care providers, including some large pharmacy chains, that are only offering COVID-19 specimen collection or testing. During the emergency, OCR will not penalize healthcare providers for HIPAA violations stemming from "good faith uses and disclosures of protected health information by business associates for public health and health oversight activities.”
Covered healthcare providers should be cognizant, however, of the potential interplay between the HHS’s decision on enforcement discretion and Missouri law addressing the fiduciary duty of confidentiality and nondisclosure of protected health information. Thus, absent federal or state legislation shielding healthcare providers from civil liability for COVID-19 related services or other services during the public health emergency, providers could still face potential litigation for claimed monetary damages stemming from improper disclosure of protected health information.