For Psychologists, By Psychologists ®
Search
About
TrustPARMA
The Trust
TRMS, Inc.
FAQ
Insurance Programs
Helpful Resources
General Questions
Risk Management
Liability Insurance
Customer Service
State Endorsements
Trust Partners
Insurance Programs
Professional Liability
Student Liability
Research & Academician Liability
Business Office
Cyber Enterprise
Office Overhead
Income Protection (Disability)
LifeStyle-5 Plan
LifeStyle-65 Plan
LifeStyle-65 Plus Plan
Economizer-65 Plan
Long Term Care
Group Term Life
Auto, Home & Renters
Pet Health
Retirement Planning
Workshops & Webinars
Business of Practice Webinar Series
Live Webinars
On-Demand Webinars
Risk Management Roundtables
Telehealth Community Chats
Cultural Competency
ABPP Webinar Series
HIPAA Webinar Series
Live Workshops (Sequences)
Virtual Webinar Series
Telehealth Community Chats
Risk Management Roundtables
Cultural Competency
ABPP Webinar Series
HIPAA Webinar Series
2023 National Practice Conference (On-Demand)
PSYPACT Bundle (On-Demand)
Independent Learning
Telepsychology Competencies Credential
Educators - Risk Management Training Curriculum
SECPs - Risk Management Training Curriculum
Risk Management Book
Taylor Study Method
CAMS-care Suicide Prevention
AATBS
Resource Center
Student & Early Career Resources
Document Library & Quick Guides
Articles
Glossary of Terms
Contact
Continuing Education
Home
/
Resource Center
/
COVID-19 Resources
/
FAQ on Telehealth Enforcement Exceptions
FAQ on Telehealth Enforcement Exceptions by the Department of Health and Human Services (DHHS) during the COVID-19 Public Health Emergency.
January 27, 2021
What does it mean that the DHHS Office of Civil Rights (OCR) “relaxed” its enforcement of some HIPAA rules?
On March 17, 2020, OCR issued a notification of an “enforcement discretion” related to the good faith use of non-HIPAA compliant telecommunication platforms. In essence, to facilitate remote care curing the COVID-19 crisis the OCR decided not to enforce the requirement that providers meet HIPAA’s security standards (e.g., having a Business Associates Agreement) on telehealth platforms. But, as noted in more detail below, the platform must not be public facing; no Facebook Messenger or anything that has a public component.
I heard that the exception to enforcement expired on January 23, 2021: Is that true?
No. The enforcement discretion continues each time the federally declared public health emergency (PHE) is renewed. The DHHS initially declared a PHE effective January 27, 2020. It has since been renewed four times. The most recent renewal was January 21, 2021. Because the PHE declaration lasts 90 days, the OCR has extended its relaxation of enforcement until April, 2021 at a minimum.
Does that mean that on April 21, 2021, the OCR’s enforcement discretion will expire?
Not necessarily: The OCR will continue its relaxation of enforcement for the duration of the PHE. If the PHE is extended again, OCR clarified that its enforcement discretion will also be extended.
How do I find out whether the PHE and enforcement discretion have been renewed?
You can check on the DHHS Emergency Services homepage, under “[Renewal of] Determination That A Public Health Emergency Exists.” See, for example, the PHE extension dated January 21, 2021;
https://www.phe.gov/emergency/news/healthactions/phe/Pages/covid19-07Jan2021.aspx
Does this mean clinicians are free to use any platform they wish during the PHE?
No. OCR put in place some limitations on its relaxation of enforcement actions. The two most relevant limits include, first, that it still prohibits the use of “public-facing” systems of interaction, such as Facebook Live, Twitch, Tik Tok, or a public chatroom. “Nonpublic-facing” systems, such as Google Hangouts Video, Zoom, and Facetime, among others, are permitted.
Second, OCR will continue to enforce HIPAA security rules if there is a documented violation of either state licensing laws or professional standards (ethics codes) regarding telehealth treatment. Remember, the federal HIPAA standard is not the only source of laws and rules regarding privacy.
States often have their own telehealth and confidentiality laws related to licensing of healthcare providers, and licensing boards may have regulations governing these concerns. If these state laws give more privacy rights to patients/clients than HIPAA, the state laws will ordinarily take precedence.
It is also important to note that a particular state may not have reduced enforcement of their own standards during the PHE. As a result, The Trust RM Team has been recommending providers use secure and HIPAA compliant platforms despite the OCR enforcement discretion. To the extent possible, it is safer to comply with pre-COVID-19 HIPAA standards, as well as the APA Ethics Code (2017) and state licensing statutes and regulatory requirements.
We also recommend that you check with your local state licensing board regarding any rules or requirements concerning telehealth treatment.
As always, if you have any additional questions and are a Trust policyholder, please feel free to schedule a consultation with a Risk Management consultant at 800-477-1200.
Student & Early Career Resources
Document Library & Quick Guides
Articles
Glossary of Terms