Feds Ease Privacy Rules for Sweeping Telehealthcare during Coronavirus


Post By: Diane Evans, Publisher, MyHIPAA Guide

Doctors, you have relief.  Effective immediately, you can see patients through video conferencing without fear of violating privacy rules during this state of nationwide emergency.  This week, the U.S. Office for Civil Rights (OCR) issued two memos. In the first, OCR issued guidance on patient communications and eased privacy requirements and potential penalties for hospitals as they put disaster plans in place.  In the second and newest memo, OCR expressly allows “good faith” efforts to deliver patient care through telehealth, relaxing privacy rules by allowing the use of many popular forms of video conferencing.

This means healthcare providers may use applications for video chats such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to see patients without risk of potential penalties under the Health Insurance Portability and Accountability Act (HIPAA). So-called “public-facing” applications, such as Facebook Live, Twitch and TikTok, should not be used for telehealth.

OCR Director Roger Severino said that even though some telehealth services may not meet existing privacy requirements, “‘we are empowering medical providers to serve patients wherever they are during this national public health emergency.’’

Despite the easing of rules, providers should take precautions to the extent possible. While using these various platforms, for example, enable the encryption and privacy modes available.  In addition, OCR encourages providers to notify patients that their privacy could potentially be compromised as a result of these virtual visits.

For providers seeking additional privacy protections while using video communication,  several major vendors offer HIPAA-compliant video communication services and will enter into business associate agreements. Examples include:

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • me
  • Google G Suite Hangouts Meet

OCR gives broad discretion to health professionals in determining appropriate purposes for telehealth services.  For instance, a telehealth visit may relate to a new or existing diagnosis, a dental consultation or a psychological evaluation.  Or, a provider may use telehealth services to treat someone with COVID-19 symptoms in an effort to protect themselves, their staff and their facility from potential exposure. Simultaneously, Medicare expanded its coverage to include such services via teleconferencing.

Indeed, the Feds are recognizing that professionals need latitude to use their best judgment during this pandemic.  The question for the future is this: Once telemedicine hits the mainstream, will the delivery of healthcare ever be the same? Privacy may need to permanently adjust.

For technical information relating to telehealth, providers may visit  https://www.healthit.gov/telehealth.

Diane Evans is Publisher for MyHIPAA Guide, a HIPAA consultancy and subscription service. She can be reached at devans@myhipaaguide.com.