What are the HIPAA Telehealth Rules for COVID-19? (FAQs)

Virtual doctor visit with telemedicine

Since the Office of Civil Rights (OCR) released its Notification of Enforcement Discretion for Telehealth Remote Communications in March, healthcare organizations want to know what it means to provide HIPAA compliant telehealthcare during the Coronavirus crisis. These FAQs answer the most common questions about the HIPAA telehealth rules for healthcare organizations during COVID-19.

Which HIPAA telehealth rules are affected by COVID-19?

HIPAA Privacy, Security and Breach Notification Rules — HIPAA covered healthcare organizations won’t be subject to sanctions or penalties if they violate HIPAA Privacy, Security, and Breach Notification Rules when providing telehealthcare in good faith during the COVID-19 nationwide Public Health Emergency.

Which HIPAA covered entities qualify for the telehealth enforcement discretion during COVID-19?

Healthcare providers only — The HIPAA telehealth Enforcement Discretion applies to all healthcare providers that are covered by HIPAA and provide telehealth services during the emergency or transmit any health information in electronic form (ePHI) in connection with a transaction.

Under HIPAA, healthcare providers are those organizations that provide medical or health services, bill for healthcare services, and are paid for health care in the normal course of business. 

Examples of healthcare providers under HIPAA are:

  • Clinics
  • Hospitals
  • Pharmacists
  • Laboratories
  • Physicians
  • Nurses
  • Home Health Aids
  • Therapists
  • Mental Health Professionals
  • Dentists
  • Any other person or entity that provides healthcare

Which HIPAA covered entities do not qualify for the telehealth enforcement discretion during COVID-19?

Health insurance companies — Health insurance companies that pay for telehealth services but do not provide them are not considered covered entities for the telehealth Enforcement Discretion. Covered entities are healthcare providers only.

What patients can healthcare organizations treat under the telehealth enforcement discretion for COVID-19?

Any patient — HIPAA covered health care providers can treat any patients they normally service using telehealth or telemedicine — with no limitations. This includes both COVID-19 and non-COVID-19 related telehealthcare services. 

It also includes both patients that receive Medicare or Medicaid benefits and patients that don’t. (Any telehealth restrictions imposed by Medicare or Medicaid do not limit the HIPAA Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications.)

What is telehealth according to the HHS?

The HHS defines telehealth as the use of “electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” 

This includes technology such as:

  • The internet
  • Video conferencing software
  • Streaming media
  • Storage and forwarding of images
  • Landline communication
  • Wireless communications — audio, text, imaging, video.

But this doesn’t mean that healthcare providers can jump on any platform. The OCR specifically states that providers must use non-public facing applications.

What are non-public facing applications?

Non-public facing communications mean communications platforms that are designed to only allow specific parties into the telehealth conversation. Non-public facing communications should use end-to-end encryption and support individual user accounts and log in credentials.

Examples of non-public facing remote communication platforms with end-to-end encryption:

  • WhatsApp
  • Telegram
  • Facetime
  • iMessage
  • Signal
  • Facebook Messenger Secret Conversations  (iPhone, iPad, and Android only)
  • Skype Private Conversation
  • SnapeEngage LiveChat

Examples of non-public facing remote communication platforms without end-to-end encryption:

  • Google Hangouts
  • Facebook Messenger
  • Skype

 

What are public facing applications?

Public facing applications are not allowed under the Notification of Enforcement Discretion for Telehealth. Public facing technologies are open to the public and are not considered private. Examples of public facing communications are:

  • Facebook
  • TikTok
  • Slack

What are HIPAA compliant telehealth vendors?

HHS also notes that healthcare providers who want additional telehealth privacy should seek out technology vendors who are already HIPAA compliant technology vendors and are willing to enter into a business associate agreement (BAA) with covered entities. 

The HHS website lists some technology vendors that may have HIPAA compliant communication products. But OCR has not reviewed them. Nor does it certify or recommend them — or any other specific technology.

Even though the OCR assures covered healthcare providers that they will not be penalized for using less secure tech communication products during the Public Health Emergency, it advises telehealthcare providers that they should make an effort to use end-to-end encrypted technologies and inform patients of privacy risks when they can’t.

How long will the HIPAA telehealth rules for COVID-19 last?

The Notification of Enforcement Discretion for Telehealth will last as long as the declared Public Health Emergency during COVID-19 lasts. A Public Health Emergency lasts until the HHS Secretary determines that the Public Health Emergency is over. He can extend it for additional 90-day periods, but ultimately, the protection against HIPAA penalties for telehealth ends when the Secretary says it does.

What happens if the Public Health Emergency officially ends, but healthcare providers still need to use telehealth?

This is a situation that all HIPAA covered healthcare providers should be aware of. 

While the HHS Secretary may declare a national Public Health Emergency terminated, healthcare providers may still find that they are dependent on telehealth and telemedicine in their regional areas to service patients — coronavirus related or not. 

Healthcare providers who are dependent on non-HIPAA compliant technologies to service their patients may find themselves in a grey zone when it comes to HIPAA sanctions or penalties

The best way to prepare for this is by integrating HIPAA compliant technology today with a Business Associates Agreement in place. Otherwise you may find yourself scrambling when the telehealth Enforcement Discretion is terminated.

Contact SnapEngage to learn how we can help you stay HIPAA-compliant through COVID-19 and beyond

ShapEngage’s HealthEngage is the world’s first HIPAA compliant live chat. We’re set up to address your needs through COVID-19 and beyond. For example, our COVID-19 Coronavirus Symptom Checker Bot offers a sequence of questions and answers to help patients understand their options and staff to answer questions quickly. 

Get set up with the leading HIPAA compliant conversational platform designed for healthcare today, and you won’t have to worry about continuing to provide exceptional service while staying HIPAA compliant tomorrow.