• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

Category: Coronavirus

Topics:

3025-If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?

No. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services. For example, if a provider follows the terms of the Notification and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA), it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.

Posted in: Coronavirus
3024-What is a "non-public facing" remote communication product?

A "non-public facing" remote communication product is one that, as a default, allows only the intended parties to participate in the communication.

Posted in: Coronavirus
3023-What may constitute bad faith in the provision of telehealth by a covered health care provider, which would not be covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

OCR would consider all facts and circumstances when determining whether a health care provider's use of telehealth services is provided in good faith and thereby covered by the Notice. Some examples of what OCR may consider a bad faith provision of telehealth services that is not covered by this Notice include:

Posted in: Coronavirus
3022-What telehealth services are covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency are covered by this Notification. This includes diagnosis or treatment of COVID-19 related conditions, such as taking a patient’s temperature or other vitals remotely, and diagnosis or treatment of non-COVID-19 related conditions, such as review of physical therapy practices, mental health counseling, or adjustment of prescriptions, among many others.

Posted in: Coronavirus
3021-Where can health care providers conduct telehealth?

OCR expects health care providers will ordinarily conduct telehealth in private settings, such as a doctor in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances.

Posted in: Coronavirus
3019-Does the Notification of Enforcement Discretion regarding COVID- 19 and remote telehealth communications apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?

No, the Notification addresses the enforcement only of the HIPAA Rules. The Substance Abuse and Mental Health Services Administration (SAMHSA) has issued similar guidance on COVID-19 and 42 CFR Part 2, which is available at: https://www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2- guidance-03192020.pdf.

Posted in: Coronavirus
3018-Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.

Posted in: Coronavirus
3017-What patients can a covered health care provider treat under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications and does it include Medicare and Medicaid patients?

This Notification applies to all HIPAA-covered health care providers, with no limitation on the patients they serve with telehealth, including those patients that receive Medicare or Medicaid benefits, and those that do not.

Posted in: Coronavirus
3016-What entities are included and excluded under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

The Notification of Enforcement Discretion issued by the HHS Office for Civil Rights (OCR) applies to all health care providers that are covered by HIPAA and provide telehealth services during the emergency. A health insurancecompany that pays for telehealth services is not covered by the Notification of Enforcement Discretion.

Posted in: Coronavirus
3015-What is telehealth?

The Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. Technologies include videoconferencing, the internet, store- and-forward imaging, streaming media, and landline and wireless communications.

Posted in: Coronavirus