On March 20, the U.S. Department of Health and Human Services (HHS) issued additional guidance in the form of Frequently Asked Questions (FAQs) on HIPAA and telehealth services to help providers furnish care during the COVID-19 pandemic.

The FAQs follow and provide further information on the Notification of Enforcement Discretion issued by HHS on March 17 (Notification), in which HHS indicated that it would not penalize providers for using popular video chat applications, such as FaceTime and Skype, in good faith to provide telehealth services amid the COVID-19 pandemic.  HHS has emphasized, however, that the Notification does not allow the use of public-facing communications products, such as Facebook live or other livestreaming applications.

In the FAQs, HHS first provides an important reminder that while the term telehealth refers to the “use of electronic information and telecommunications technologies” for remote health care and patient education, certain payors – including Medicare – place restrictions on the types of technologies that can be used in order for the services to be reimbursed.  HHS notes that such restrictions do not limit the scope of the Notification.

HHS then provides the following additional information on the Notification and telehealth generally:

  • The Notification applies to all health care providers that are covered by HIPAA and provide telehealth services during the COVID-19 emergency, with no limitations on the patients served via telehealth;
  • The Notification applies to all services that a provider believes, in his or her professional judgment, can be provided via telehealth under the circumstances of the emergency;
  • The Notification does not apply to health insurance companies that just pay for telehealth services;
  • The Notification applies to HIPAA’s Security Rule, Privacy Rule, and Breach Notification Rule regulations;
  • The Notification does not apply to substance use disorder records or communications covered by 42 C.F.R. Part 2;
  • The Notification does not have an expiration date;
  • Health care providers are expected to conduct telehealth services in private settings, and providers should implement reasonable safeguards to limit incidental uses or disclosures of protected health information;
  • The Notification applies only to the “good faith” provision of telehealth services, which HHS assesses via a facts and circumstances test, and examples of what would not qualify as good faith include the provision of telehealth services in furtherance of a criminal scheme, or to violate state licensure law, or the use of public-facing communications products such as Facebook live; and
  • Non-public facing remote communication products can include FaceTime, Skype, Facebook messenger video, Whatsapp video chat, or Google hangouts video, but do not include livestreaming products.

HHS concluded the FAQs by stating that if a provider uses telehealth services during the COVID-19 pandemic and protected health information is intercepted during transmission, HHS will not pursue otherwise applicable penalties for any such breach.

Notably, in furtherance of the government’s efforts to promote the use of telehealth services to combat the COVID-19 pandemic, on March 23 HHS’s Centers for Medicare and Medicaid Services issued telehealth toolkits for providers available here (for general practitioners) and here (for ESRD providers).

This post was co-authored Lisa Thompson and is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting health information privacy and HIPAA related topics, we invite you to subscribe to the blog.