As the Coronavirus crisis continues to unfold in the United States, the healthcare system in many places is bracing for a severe increase in patient visits and hospitalizations which could overwhelm even the most prepared system. One way in which healthcare providers have tried to manage this demand, as well as limit the amount of contact between patients and caregivers which could further spread the virus, is by expanding their efforts to provide care remotely through telehealth services.
Under normal circumstances, the adoption of telehealth technology would require both technology vendors and providers to undergo various privacy and security risk assessments to ensure that the telehealth solution to be implemented complies with the HIPAA privacy and security rules, the U.S. law intended to protect patient data. This process can be lengthy and complex.
Given the risks involved in the rapid spread of the Coronavirus, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) which enforces HIPAA, decided to use its discretion in enforcing the HIPAA regulations and waive potential penalties for HIPAA violations stemming from healthcare providers’ implementation of telehealth solutions which may not be fully compliant with HIPAA.
On Tuesday, March 17th OCR released a Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. This OCR notification was made effective immediately and could be relevant to any healthcare provider and technology vendor offering solutions to healthcare providers. According to this notification, “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
What does it mean? The HIPAA regulations impose several restrictions and barriers to using and disclosing patient data. These regulations apply to the provision of telehealth through video conferencing and chat, which could restrict how these technologies are used. Under this new OCR notification, companies and healthcare providers will be able to use various telehealth solutions even if they haven’t taken the steps necessary to ensure they are HIPAA-compliant, so long as they act in good faith. This should allow for a faster deployment and expansion of telehealth services in the U.S.
Interestingly, but unsurprisingly, the OCR notification specifically stated that this enforcement discretion does not apply to publicly facing apps such as Twitch, Facebook Live, and TikTok, presumably because such apps lack even minimal privacy protections needed to protect patients’ protected health information.
While this OCR notification was announced at a time of crisis, it could lead to the rapid expansion of telehealth services in the U.S., which would remain with us long after the Coronavirus is brought under control.