Updated: Jun 13, 2020
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing the privacy and security rules of HIPAA. Due to the COVID-19 national emergency (also a nationwide public health emergency) OCR will not impose penalties for noncompliance for use of unapproved telehealth remote communication products.
The OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.
The OCR goes on to further state that providers may use any non-public facing remote communication product.
OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
OCR listed the following as acceptable for provider use:
Facebook Messenger video chat
Google Hangouts video
Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
Providers SHOULD NOT use:
NO Facebook Live
or similar video communication applications are public facing
The OCR provided a list of vendors that will sign a BAA with providers:
Skype for Business / Microsoft Teams
Zoom for Healthcare