Site icon ProHIPAA

Telehealth and the COVID-19 Crisis

Doctor using a cell phone

Until recently, telehealth has been slowly growing in healthcare, and with COVID-19 more and more providers are switching to it to see patients. Given the state of emergency and the rapid switch, the Office of Civil Rights has released a Notification of Enforcement Discretion for telehealth usage during the crisis. 

What Is Telehealth?

Telehealth is the use of electronic information and telecommunications to support health care, health care related education, and health administration. Telehealth includes:

(Medicare and Medicaid may have restrictions on the type of technology that can be used.)

 

What is the Notification of Enforcement Discretion?

During the COVID-19 crisis, covered healthcare providers will not be penalized for violations of HIPAA that occur in a “good faith provision of telehealth.” This only applies to telehealth – specifically non-public facing communications – and does not apply to any HIPAA violations that may occur outside of the performance of telehealth services. It also does not apply to 42 CFR Part 2 – the Substance Abuse and Mental Health Services Administration (SAMHSA) has their own guidelines here.

Good Faith Telehealth

Bad Faith Telehealth

The Federation of State Medical Boards is tracking state medical licensure waivers for practicing telehealth across state lines here. Right now, 44 states have waivers.

If a breach occurs, OCR will use its enforcement discretion and look at all the facts and context to determine if a provider was acting in good faith or not. They encourage providers to set up BAAs with communications vendors and use vendors who are HIPAA compliant, but won’t be penalized for using a less secure (non-public facing) service in an effort to get up and running and serving patients as quickly as possible.

Basically, if you are on a Zoom call with a patient that somehow gets hacked, you won’t be subject to penalties. However, if you’re using a public chat room to talk to patients about their healthcare needs, you can be penalized. If you’re a healthcare worker using TikTok to share information on health issues, you’re fine… but don’t share anything that contains PHI or specific patient advice.

If you’re a healthcare provider, or a company that is assisting in telehealth for a healthcare provider, be sure that your policies are up to date and include telehealth guidelines. Additionally, employees should be informed as to the guidelines, allowances, and limitations of the Notification on their telehealth work.

The Notification currently does not have an expiration date. As of now, it appears OCR will issue a notice to the public when they consider the Notification no longer valid.

Exit mobile version