Telehealth May Outlast Waivers; Pay Attention to OCR's Guidance

By Theresa Defino

The use of remote health care services, broadly classified as telehealth, has had many fans in the medical world. Some programs, like a pilot in California, pair primary care and specialty physicians together for patients with limited access.[1] Others, like Intermountain Healthcare, have launched larger scale programs or “virtual hospitals.”[2]

But with the Centers for Medicare & Medicaid Services and the HHS Office for Civil Rights (OCR) both taking actions to facilitate telehealth during the COVID-19 pandemic, over a two-week period or so, the field expanded to a place it had not reached over the past decade.

Still, experts warn that the administrative waivers and expressions of enforcement discretion are time-limited, and that covered entities (CEs) and their business associates (BAs) should really try to follow as many routine HIPAA practices as they can to shield protected health information (PHI).

“I always recommend being as compliant as possible when setting up a telehealth or any other new program,” says attorney Richelle Marting. CEs and BAs are in for a tough go of it, especially now, she says, with so much regulatory change and the unknown of what requirements will be after the national health emergency.

OCR Offered Some Dos and Don’ts

On March 17, OCR Director Roger Severino announced the agency would “exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”[3] OCR also issued a related FAQ document.[4]

The discretion is necessary to enable telehealth, the agency said, because some “remote communication technologies” that providers use “and the manner in which they are used by HIPAA covered health care providers…may not fully comply with the requirements of the HIPAA Rules.”

But OCR advised that “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.”

Instead, during the emergency, “providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” the agency said.

While a business associate agreement (BAA) would be standard with a telehealth vendor, during the emergency OCR isn’t demanding one and won’t pursue enforcement if one is lacking (again, just during the emergency). But it provided a list of “some” vendors who are ready to sign BAAs and purport to be HIPAA compliant, OCR said, for those CEs desiring “additional privacy protections for telehealth.”

These include Skype for Business, Updox, VSee, Zoom for Healthcare and Doxy.me.

Additionally, CEs are “encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications,” OCR said.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings