HIPAA Enforcement Discretion FAQ
By Dinsmore's Jared Bruce
In the midst of the COVID-19 public health emergency, the Department of Health and Human Services (HHS), Office of Civil Rights (OCR) announced that health care providers covered under Health Insurance Portability and Accountability Act (HIPAA) would not be sanctioned for noncompliance with certain HIPAA requirements. OCR will not penalize covered health care providers that: (1) utilize certain “non-public facing” video communication for the good faith provision of any telehealth services; or (2) penalize certain hospitals for failure to comply with certain HIPAA requirements during hospital disaster protocol.
How is HHS exercising its enforcement discretion for covered health care providers to provide telehealth services during the public health emergency?
During the COVID-19 public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services, through “non-public facing” remote communications technologies. OCR recognizes that some of these technologies, and the manner in which they are used by HIPAA-covered health care providers, may not fully comply with the requirements of the HIPAA Rules.
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
Additionally, OCR will not impose penalties against covered health care providers for the lack of a HIPAA required business associate agreement (BAA) with video communication vendors or any other noncompliance with the HIPAA Rules that relate to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
What telehealth services can covered health care providers render through non-public facing communication technology?
The OCR exercise of discretion applies to telehealth services provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
What is considered a non-public-facing remote communication technology?
According to OCR, covered health care providers may use popular non-public facing applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without the risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. However, OCR has cautioned that Facebook Live, Twitch, TikTok, and similar video communication applications are public-facing and should not be used in the provision of telehealth by covered health care providers.
How long will OCR exercise its enforcement discretion for telehealth services?
The notice of OCR’s enforcement discretion is effective immediately and will last for the duration of the public health emergency.
The full OCR Notice on the exercise of its enforcement discretion is available here.
What regulations have HHS waived for hospitals under the COVID-19 public health emergency?
HHS has waived sanctions and penalties arising from noncompliance with the following provisions of the HIPAA privacy regulations: (a) the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt-out of the facility directory (as set forth in 45 CFR § 164.510); (b) the requirement to distribute a notice of privacy practices (as set forth in 45 CFR. § 164.520); and (c) the patient’s right to request privacy restrictions or confidential communications (as set forth in 45 CFR § 164.522). But in each case, it is only with respect to hospitals in the designated geographic area that have hospital disaster protocols in operation during the time the waiver is in effect.
How long will the HIPAA non-enforcement waivers for hospitals continue in place?
The HIPAA waivers described above are in effect for a period of time not to exceed 72 hours from the implementation of a hospital disaster protocol.
The full HHS waiver regarding the waiver of HIPAA requirements for a hospital is available here.