Skip to Content
Coronavirus Updates

Knowledge

Telehealth Rules Relaxed Amid COVID-19 Outbreak, Enforcement of Privacy Laws Unclear

March 23, 2020

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) has made it easier for health care providers to treat patients remotely.

During the COVID-19 public health emergency, OCR will not enforce the Health Insurance Portability and Accountability Act’s (HIPAA) requirements governing audio and video communication technologies.

While the HHS has shown a willingness to relax standards in the wake of the pandemic, companies must be mindful that the questions of if and how other data privacy laws and regulations will be enforced during this time remain unanswered.

Which apps can providers use under relaxed rules?

Covered health care providers may now use any non-public facing remote communication application it has available to connect with patients, even if those means would not normally comply with HIPAA’s privacy and confidentiality rules. Business Associate Agreements (BAAs) are also no longer required before a provider can use a third-party’s technology to store or transmit patient data.

OCR’s announcement allows providers to reach patients using common video and messaging services, including, for example, Apple FaceTime, Facebook Messenger, and Skype. Importantly, however, public-facing video platforms, such as Facebook Live and TikTok, cannot be used to provide telehealth services.

OCR’s decision not to enforce HIPAA’s encryption and security standards applies to telehealth provided for any reason, meaning it does not need to be directly related to the diagnosis and treatment of COVID-19-related health conditions.

Patient privacy remains a concern

Telehealth care providers should remain as vigilant as possible in protecting patient privacy. HHS notes that the following vendors are HIPAA compliant and will agree to enter into a HIPAA Business Associate Agreements: Skype for Business; Zoom for Healthcare; and Google G Suite Hangouts Meet, among others.

For providers deciding to use other tools, they should deploy any available encryption and privacy tools available. They should also seek informed consent from patients to use non-HIPAA compliant technologies, notifying them that the third-party applications pose potential privacy risks.

Our team will continue to share the latest developments and provide insights on the spread of coronavirus and its impact across sectors.