In an unprecedented announcement (and on the heels of other directives on healthcare privacy matters), the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) issued a statement on March 17, 2020, that it will not impose penalties against covered entity healthcare providers in connection with their “good faith provision of telehealth services” as long as the Public Health Emergency related to COVID-19 is in place. OCR is the federal agency responsible for the regulation and enforcement of the Health Insurance Portability and Accountability Act of 1996 and its Privacy and Security Rules (together, HIPAA).
Typically, HIPAA requires that healthcare providers use video communication products from technology vendors that are HIPAA-compliant and only if they enter HIPAA business associate agreements with such vendors. This is a best practice for any healthcare provider to comply with HIPAA and to minimize the risk of a data privacy breach. OCR specifically references examples of HIPAA-compliant vendors in its notice:
- Skype for Business/Microsoft Teams
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
Even with this list, OCR recognizes that some healthcare providers may not have the infrastructure in place to facilitate video-conferencing during the COVID-19 Public Health Emergency. Accordingly, OCR will not preclude the temporary use of popular apps like: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. But OCR does clarify that public facing apps such as Facebook Live, Twitch, TikTok, or other similar video communication applications are not permitted for telehealth services. Accordingly, use of public facing apps could still subject a healthcare provider to HIPAA penalties for non-compliance.