Client Alert: OCR Issues Guidance About Sharing Patient Information and Telehealth Communications during Pandemic
Date: March 31, 2020
Telehealth Communications
The OCR has recognized that, during the COVID-19 national emergency, health care providers may seek to communicate with patients, and provide so-called “telehealth” services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA-covered healthcare providers, may not fully comply with the requirements of the HIPAA Rules. However, in light of the national emergency, the OCR said that it will not impose penalties against covered health care providers for the lack of a HIPAA business associate agreement (“BAA”) with video communication vendors, or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health crisis.
Permitted Providers
Thus, covered entities, may use popular applications that allow for video chats, including:
- Apple FaceTime,
- Facebook Messenger video chat,
- Google Hangouts video,
- Zoom, and
- Skype
to provide telehealth without risk that the OCR might seek to impose a penalty, provided that such use was related to the good faith provision of telehealth during the COVID-19 crisis. Even so, OCR encouraged providers to notify patients that these third-party applications potentially introduce privacy risks, and to enable all available encryption and privacy modes when using those applications.
Prohibited Providers
Importantly, the OCR has clarified that providers should not use public facing applications, including:
- Facebook Live,
- Twitch, and
- TikTok
Preferred Providers
The OCR recommends that providers who seek additional privacy protections should use vendors that are HIPAA complaint and will enter into a BAA. Such providers include:
- Skype for Business / Microsoft Teams,
- Updox,
- VSee,
- Zoom / Zoom for Healthcare,
- Doxy.me,
- Google G Suite Hangouts Meet,
- Cisco Webex Meetings / Webex Teams,
- Amazon Chime, and
- GoToMeeting
Sharing of Patient Health Information
Generally, HIPAA protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes. Under certain circumstances, HIPAA allows for the disclosure of protected health information (“PHI”) without a patient’s consent.
Treatment of the Patient or a Different Patient: Without a patient’s consent, healthcare providers may disclose PHI about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.
Public Health Activities: Without a patient’s consent, PHI may be disclosed to a public health authority, such as the CDC or a state or local health department for the purpose of preventing or controlling disease. PHI may also be disclosed to persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.
Importantly, a healthcare provider must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. Even in an emergency situation, healthcare providers must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.
We are here to help. Please let us know if you have any questions regarding HIPAA or any other data privacy or security law.
The information contained here is not intended to provide legal advice or opinion and should not be acted upon without consulting an attorney. Counsel should not be selected based on advertising materials, and we recommend that you conduct further investigation when seeking legal representation.