March 23, 2020
Telehealth is an important tool for hospitals, clinics and healthcare providers in the current fight against COVID-19. As patients have seen their elective procedures, routine medical visits, screenings and preventive medical care cancelled in light of the various state emergency declarations and social distancing measures, many patients still require the services of a healthcare provider.
Earlier this week, HHS announced it would exercise its enforcement discretion to waive penalties for HIPAA violations that may occur in the context of the good faith use of telehealth (the “Notice”), and an expansion in Medicare coverage for telehealth visits. The new guidance issued by HHS clarifies how OCR is applying the Notice in the provision of telehealth.
HHS has issued its guidance in the form of FAQs and provides additional insights into how a healthcare provider can fall within the scope of the good faith exceptions.
Telehealth Is Not Just Video Conferencing
It is important to remember that telehealth is not limited to video conferencing, but broadly includes other electronic means of communication as well. “Telehealth services may be provided, for example, through audio, text messaging, or video communication technology, including videoconferencing software.” FAQ 1. Although the Notice does not directly affect reimbursement eligibility under Medicaid and Medicare, the recent expansion of Medicare coverage of telehealth services, combined with the OCR guidance, may result in an expansion of possible technological methodologies available for patient treatment.
As stated in the Notice, OCR will exercise its discretion to waive enforcement against HIPAA violations if a healthcare provider renders telehealth services in good faith. HHS provides guidance in the FAQs as to what it would consider good faith, which includes discussion of specific telehealth interfaces with patients.
OCR Notice Applies Only to Healthcare Providers, Not Health Insurers
OCR makes clear that the Notice applies only to healthcare providers but does not apply to payors, as specified in FAQ 2. This is an important distinction for health insurers as it is possible that if a security breach occurs in the context of a telehealth service that fits within the good faith exceptions, OCR would not bring an enforcement action against the healthcare provider but may take such action against the health insurer.
Use of new or different billing and payment mechanisms for telehealth could introduce new security risks. Although health insurers do not provide telehealth services, they should, when paying for telehealth claims, take necessary measures to ensure that any such payment is sufficiently secure to satisfy HIPAA requirements.
Use of “Public-Facing” Communication Products Does Not Meet Good Faith Criteria for Notification of Enforcement Discretion
The use of “public-facing” communication products will not meet the good faith standard required to fall under the Notice. FAQ 9. HHS provides a list of what it considers to be “non-public facing” products that, if used, would fall within the scope of the Notice. FAQ 10. “Platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, or Skype” would be considered non-public facing by HHS. On the non-video side, non-public facing products “also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage.”
Examples of products that HHS considers to be public-facing include “TikTok, Facebook Live, Twitch, or a chat room like Slack.” These products “are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.”
The list of non-public facing products is a non-exhaustive list but these products all have three items in common that OCR considers key: “ Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted.  The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants.  In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point.”
When choosing what product to use to provide telehealth services, it is important that the product, if not contained in the OCR list, includes at least the three items described above.
Security Breaches with Non-Public Facing Products will not Result in Enforcement by OCR
FAQ 11 asks the question “if a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?” With the recent hacking of HHS during the COVID crisis, clearly hackers are, unfortunately, taking the opportunity during this vulnerable time to launch attacks. As the volume of telehealth services increases so too does the volume of users and the number of potential security vulnerabilities.
OCR responds to this FAQ by indicating that it will not pursue enforcement action in these circumstances if the telehealth services are provided in good faith. OCR goes on to clarify that it will consider “all facts and circumstances” to determine what constitutes a good faith provision of telehealth services. In order to ensure the effective delivery of treatment, healthcare providers are encouraged to use the products listed in the guidance, but healthcare providers “will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency.”
OCR’s definitive statement that it will not bring enforcement actions for security breaches that occur in spite of good faith efforts should help alleviate concerns of healthcare providers as they ramp up their telehealth services during these constantly changing times.
As outlined above, healthcare providers wishing to expand the provision of care to their patients using telehealth services should take measures to ensure that the technologies they employ fit within the good faith exceptions set forth in the Notice. Correspondingly, health insurers should take all necessary steps to secure their telehealth claims processing functions in compliance with HIPAA standards.