OCR Will Not Impose Penalties for Noncompliance with HIPAA Regulations Under Good Faith Provision of Telehealth During COVID-19 Pandemic

The Office for Civil Rights (OCR) at the Department of Health and Human Services recently issued a notice that it will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers under the “good faith provision” of telehealth during the COVID-19 pandemic.

Effective immediately, OCR announced it will exercise its enforcement discretion in allowing a covered health care provider to use any non-public facing remote communication product that is available to communicate with patients in order to provide telehealth. OCR recognizes that some of these audio or video communication products, and the manner in which they are used by HIPAA-covered health care providers, may not fully comply with the requirements of the HIPAA Rules. OCR will not impose penalties against covered health care providers for any noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 pandemic. This exercise of discretion applies to telehealth provided for any reason, regardless of whether it is related to the diagnosis and treatment of COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions.

This allows covered health care providers to use video chat applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. However, Facebook Live, Twitch, TikTok, YouTube, and similar video communication applications that are considered “public facing,” or accessible to the public from the internet, should not be used.

Certain technology venders represent that they are HIPAA complaint, and have agreed to enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. These vendors include Skype for Business / Microsoft Teams, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet, Cisco Webex Meetings / Webex Teams, Amazon Chime, GoToMeeting and Spruce Health Care Messenger.

OCR has advised that it has not reviewed the BAAs offered by these vendors, and it has not provided any specific endorsement. But OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 pandemic. Providers should still notify their patients that these third-party applications potentially introduce privacy risks, and any available encryption and privacy modes should be enabled when using these applications.

For more information or guidance on BAAs, including sample BAA provisions, contact Buckingham Partner Amanda M. Gatti.