We wrote previously about HIPAA enforcement being suspended for telehealth during COVID-19 and more details on how to implement it. Plus, we shared the expansion of Medicare coverage and payment for telehealth. However, there were still many questions.
The good news is that HHS released a HIPAA and Telehealth FAQ that addresses some of those questions.
You can read the full FAQ, but here’s some of the highlights:
Telehealth is defined quite broadly and can include audio, text messaging, or video communication technology, including videoconferencing software. This of course only applies to HIPAA enforcement and not whether the payer will pay for the service. That’s a different question that should be addressed to the payer.
Health insurers that pay for telehealth services are not part of the enforcement discretion. Payment for telehealth services should still follow HIPAA.
Applies to all patients.
The enforcement discretion only applies to telehealth, not other areas that HIPAA covers.
There is currently no end date to the suspension of HIPAA for telehealth, but OCR will issue notice when it’s over.
Providers should provide telehealth in a private area.
“Non-Public Facing” Remote Communication Products that are approved for HIPAA enforcement discretion should follow the following guidelines:
A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication.
Examples include:
- Apple FaceTime
- Facebook Messenger video chat
- Google Hangouts video
- Whatsapp video chat
- Skype
- Signal
- Jabber
- Facebook Messenger
- Google Hangouts
- iMessage
Note that texting applications that provide end-to-end encryption and individual user accounts are included on this list.
Applications which are “public-facing” which should NOT be used and would still be subject to HIPAA penalties and enforcement are:
- TikTok
- Facebook Live
- Twitch
- A Chatroom like Slack
Public presentations using these technologies that don’t share an individual patient and PHI on the live stream are ok since they wouldn’t be covered by HIPAA in the first place.
OCR does encourage providers to use telehealth vendors who do comply with the Security Rule and are willing to sign a HIPAA BAA.
What other questions do you have? Let us know in the comments or on Twitter with @hcittoday.