HIPAA Enforcement Changes Amid COVID-19: Fact Versus Fiction

When the United States government announced a loosening of some HIPAA requirements during the national emergency, independent healthcare practices rejoiced. But many practitioners also went overboard, misunderstanding how the notification applies—and more importantly, how it doesn’t. We help you separate the myths from the realities.

HIPAA Enforcement Changes amid COVID-19: Fact versus Fiction

On March 17, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”), released a Notification of Enforcement Discretion. The Notification informed healthcare providers that OCR would loosen regulations and enforcement actions for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) arising from telehealth services. 

Many healthcare professionals read the headlines and came away believing that the government had waived HIPAA for the duration of the emergency. As they scrambled to implement telehealth and reshape their practices in a chaotic new environment, such wishful thinking was understandable. But it was wishful thinking, nonetheless. 

We’re here to ground you in reality and break down some of the most common misguided beliefs. Learn the basics of the OCR Notification so that you can stay compliant while navigating the national emergency. 

Belief #1: HIPAA is no longer law.

Reality: False, HIPAA is still on the books. 

The OCR Notification did not change the legal existence of HIPAA. However, the Notification did change how OCR will enforce violations related to telehealth services in the immediate future. Under this Notification, violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency will not lead to penalties for health care providers. That can be a lot to digest, but keep reading to find out what that can mean for your practice. 

Belief #2: I don’t take Medicare or federal payors, so this is not relevant to my practice. 

Reality: False, this Notification applies to all health care providers who are covered by HIPAA and provide telehealth services during the emergency. 

HIPAA covers a health care provider if the provider fits the definition of a “covered entity,” meaning that the health care provider transmits healthcare information electronically in connection with a transaction. This is most easily understood through the example of billing. If you take any form of insurance, whether private or governmental, you are a covered entity under HIPAA. That means that the Notification and OCR’s decision to not penalize covered health care providers for violations of the HIPAA Privacy, Security, and Breach Notification Rules may apply to your practice. This Notification, however, has no bearing on entirely cash-based practices. 

Belief #3: There is no HIPAA enforcement, so there will be no consequences for any HIPAA violation.

Reality: False. The OCR has decided not to penalize health care providers for care rendered through telehealth during this emergency. 

OCR has specified that this Notification does not affect how HIPAA rules apply to other areas of health care. HIPAA rules will continue to be enforced normally for violations that occur as a result of rendering in-person health care services. If your practice is operational and continues to provide in-person services, you must continue to comply with HIPAA or face potential consequences.

Belief #4: HIPAA is not being enforced for telehealth services. 

Reality: True, but more is required than providing telehealth services.

While OCR is not penalizing health care providers for HIPAA violations that occur as a result of telehealth services, this comes with a caveat. OCR has clarified that their office will not penalize health care providers for HIPAA violations to the Privacy, Security, or Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. 

Belief #5: Only extremely bad actions will constitute “bad faith” in the provision of telehealth.

Reality: False. OCR ultimately determines good faith.

OCR clarified that it would consider all facts and circumstances when determining whether a health care provider used telehealth services in good faith. However, OCR did provide some guidelines of what may be considered a bad faith provision of telehealth services. 

This includes:

  • Conduct or furtherance of a criminal act, including fraud, identity theft, and intentional invasion of privacy
  • Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to telehealth treatment
  • Further use or disclosure of patient data transmitted during a telehealth communication that is prohibited by the HIPAA Privacy Rule, such as the sale of data or use of data for marketing without the patient’s authorization. 
  • Use of public-facing communication products like TikTok, Twitch, chat rooms like Slack, and any other platform designed to be open to the public or which allows indiscriminate access to the communication

Any actions you engage in during a telehealth service that may violate your state licensing laws or your professional ethical standards, if those actions result in discipline, can be considered bad faith and disqualify you from protection for HIPAA violations under this Notification.  You must continue to practice within your scope and as dictated by your professional ethics.

Belief #6: Telehealth services may only be related to the treatment of COVID-19.

Reality: False, this Notification applies to all telehealth services rendered by a health care provider to whom HIPAA applies.

This applies to any telehealth services rendered and does not need to be about or relating to a potential COVID-19 diagnosis. Many health services are suitable for treatment through telehealth. However, telehealth is only appropriate if you can maintain the same standard of care as you would in a traditional in-person setting. Unfortunately, some health care services require the provider to touch or examine the patient physically and may not be appropriate to render through telehealth. 

Watch this video of the firm’s Managing Partner, Erin Jackson, discussing the appropriateness of telehealth services. 

Belief #7: As a provider, I can conduct telehealth visits through any platform and from anywhere.

Reality: False. You can’t use public-facing platforms, and you should not conduct telehealth sessions in public places. 

The Notification allows health care providers to use non-public-facing online platforms to render telehealth. These can include Skype, Facebook messenger video chat, Whatsapp video chat, Google Hangouts video, or Apple FaceTime or texting applications like Signal, Jabber, Facebook Messenger, iMessage, Google Hangouts Chat, or Whatsapp. However, OCR urges health care providers to notify patients of the potential security risks of using such popular applications for telehealth. Recent news coverage of hackers entering private Zoom meetings is a great reminder of the inherent insecurities of online communication.

However, you cannot use public-facing platforms like TikTok, Facebook Live, Twitch, or public chat rooms like Slack. This is not to say that a provider cannot use these services to provide information about the risks of COVID-19. But a provider who chooses to offer public-facing presentations on a livestream should not identify patients or offer individualized patient advice.

Furthermore, OCR clarified that health care providers should conduct telehealth sessions in private settings, such as in a clinic, in their office, or another private location. Patients should not receive telehealth services in public or semi-public settings without the patient’s consent or outside of an exigent situation. 

Belief #8: I don’t need to sign a BAA.

Reality: True, but obtaining one is not difficult and will make the transition back to HIPAA compliance smoother

Normally, a provider would need to sign a Business Associate Agreement (“BAA”)with a HIPAA-compliant telehealth platform. One of the benefits of this Notification is that it temporarily limits penalties for not executing a BAA. However, when OCR eventually lifts the effectiveness of this Notification, providers will need to return to using HIPAA-compliant telehealth platforms and will need to sign BAAs with that platform. 

If you have not rendered services through telehealth and are beginning now amid the COVID-19 pandemic, it may be worthwhile to find a HIPAA compliant platform and execute a BAA with that company. This step will ensure your compliance once OCR lifts this Notification of Enforcement Discretion. Some telehealth platforms that sign BAAs include Skype for Business, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet, Amazon Chime, and GoToMeeting.

Belief #9: The Notification also applies to violations of the confidentiality of substance use disorder records.

Reality: False, unless the case of a medical emergency where the patient’s prior informed consent could not be obtained.

The Substance Abuse and Mental Health Services Administration (SAMHSA) has clarified that patient identifying information relating to substance abuse disorders can be disclosed without the patient’s consent in very few situations.

Namely, providers should share information about substance abuse disorder only to the extent necessary to meet a bona fide medical emergency when they cannot obtain the patient’s prior informed consent. This information can also be re-disclosed for treatment purposes on an as-needed basis. 

It is important to note that providers must make their own determination as to whether a bona fide emergency exists, warranting the release of patient information without their consent. 

Latitude with Limits

In summary, OCR’s Notification offers telemedicine providers some breathing room to serve patients during a difficult time. It does not give covered entities free license to offer telehealth services on any platform, to treat patient data carelessly, or to relax HIPAA procedures for in-person visits. In fact, if you can adhere close to the pre-emergency HIPAA requirements, you will find yourself better positioned to practice compliant telemedicine when the Notification expires.

If you have any questions about how to navigate the new regulatory landscape that is emerging amid the COVID-19 pandemic, or if you would like to set up a telehealth practice, reach out to the experienced attorneys at Jackson LLP: Healthcare Lawyers.

The COVID-19 pandemic is a dynamic and evolving public health emergency. The laws and situation are fluid, and this article may not reflect the most current situation.

This blog is made for educational purposes and is not intended to be specific legal advice to any particular person. It does not create an attorney-client relationship between our firm and the reader and should not be used as a substitute for competent legal advice from a licensed attorney in your jurisdiction.

Free Attorney Consultation

Book Now