Skip to main content
U.S. flag

An official website of the United States government

Here’s how you know

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

HTTPS

Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

  • About HHS
  • Programs & Services
  • Grants & Contracts
  • Laws & Regulations
  • Radical Transparency
  • Big Wins
  • HIPAA for Individuals
  • Filing a Complaint
  • HIPAA for Professionals
  • Newsroom
Breadcrumb
  1. HHS
  2. HIPAA Home
  3. For Professionals
  4. FAQ
  5. 3025-If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?
  • Authorizations (30)
  • Business Associates (41)
  • Compliance Dates (2)
  • Covered Entities (14)
  • Decedents (9)
  • Disclosures for Law Enforcement Purposes (5)
  • Disclosures for Rule Enforcement (1)
  • Disclosures in Emergency Situations (2)
  • Disclosures Required by Law (6)
  • Disclosures to Family and Friends (28)
  • Disposal of Protected Health Information (6)
  • Facility Directories (7)
  • Family Medical History Information (3)
  • FERPA and HIPAA (10)
  • Group Health Plans (3)
  • Incidental Uses and Disclosures (10)
  • Judicial and Administrative Proceedings (8)
  • Minimum Necessary (14)
  • Notice of Privacy Practice (20)
  • Preemption of State Law (10)
  • Privacy Rule: General Topics (12)
  • Protected Health Information (2)
  • Public Health Uses and Disclosures (13)
  • Research Uses and Disclosures (20)
  • Right to an Accounting of Disclosures (8)
  • Right to File a Complaint (1)
  • Right to Request a Restriction (4)
  • Safeguards (13)
  • Security Rule (24)
  • Smaller Providers and Businesses (145)
  • Student Immunizations (8)
  • Transition Provisions (3)
  • Treatment, Payment, and Health Care Operations Disclosures (30)
  • Workers Compensation Disclosures (5)
  • Limited Data Set (6)
  • Marketing (17)
  • Marketing - Refill Reminders (16)
  • Personal Representatives and Minors (12)
  • Right to Access and Research (58)
  • Mental Health (35)
  • Health Information Technology (41)
  • Telehealth (11)

If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?

No. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services. For example, if a provider follows the terms of the Notification and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA), it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.

OCR believes that many current and commonly available remote electronic communication products include security features to protect ePHI transmitted between health care providers and patients. In addition, video communication vendors familiar with the requirements of the Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA). Providers seeking to use video communication products are encouraged to use such vendors, but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency.

Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

OCR does not endorse the use of or the security capabilities of any particular communications product.

Content created by Office for Civil Rights (OCR)
Content last reviewed March 27, 2020
Back to top

Subscribe to Email Updates

Receive the latest updates from the Secretary and Press Releases.

Subscribe
  • Contact HHS
  • Careers
  • HHS FAQs
  • Nondiscrimination Notice
  • Press Room
  • HHS Archive
  • Accessibility Statement
  • Privacy Policy
  • Budget/Performance
  • Inspector General
  • Web Site Disclaimers
  • EEO/No Fear Act
  • FOIA
  • The White House
  • USA.gov
  • Vulnerability Disclosure Policy
HHS Logo

HHS Headquarters

200 Independence Avenue, S.W.
Washington, D.C. 20201
Toll Free Call Center: 1-877-696-6775​

Follow HHS

Follow Secretary Kennedy