FAQ on Telehealth Enforcement Exceptions by the Department of Health and Human Services (DHHS) during the COVID-19 Public Health Emergency.

January 27, 2021

  1. What does it mean that the DHHS Office of Civil Rights (OCR) “relaxed” its enforcement of some HIPAA rules?

    On March 17, 2020, OCR issued a notification of an “enforcement discretion” related to the good faith use of non-HIPAA compliant telecommunication platforms. In essence, to facilitate remote care curing the COVID-19 crisis the OCR decided not to enforce the requirement that providers meet HIPAA’s security standards (e.g., having a Business Associates Agreement) on telehealth platforms. But, as noted in more detail below, the platform must not be public facing; no Facebook Messenger or anything that has a public component.

  2. I heard that the exception to enforcement expired on January 23, 2021: Is that true?

    No. The enforcement discretion continues each time the federally declared public health emergency (PHE) is renewed. The DHHS initially declared a PHE effective January 27, 2020. It has since been renewed four times. The most recent renewal was January 21, 2021. Because the PHE declaration lasts 90 days, the OCR has extended its relaxation of enforcement until April, 2021 at a minimum.

  3. Does that mean that on April 21, 2021, the OCR’s enforcement discretion will expire?

    Not necessarily: The OCR will continue its relaxation of enforcement for the duration of the PHE. If the PHE is extended again, OCR clarified that its enforcement discretion will also be extended.

  4. How do I find out whether the PHE and enforcement discretion have been renewed?

    You can check on the DHHS Emergency Services homepage, under “[Renewal of] Determination That A Public Health Emergency Exists.” See, for example, the PHE extension dated January 21, 2021; https://www.phe.gov/emergency/news/healthactions/phe/Pages/covid19-07Jan2021.aspx

  5. Does this mean clinicians are free to use any platform they wish during the PHE?

    No. OCR put in place some limitations on its relaxation of enforcement actions. The two most relevant limits include, first, that it still prohibits the use of “public-facing” systems of interaction, such as Facebook Live, Twitch, Tik Tok, or a public chatroom. “Nonpublic-facing” systems, such as Google Hangouts Video, Zoom, and Facetime, among others, are permitted.

    Second, OCR will continue to enforce HIPAA security rules if there is a documented violation of either state licensing laws or professional standards (ethics codes) regarding telehealth treatment. Remember, the federal HIPAA standard is not the only source of laws and rules regarding privacy.

    States often have their own telehealth and confidentiality laws related to licensing of healthcare providers, and licensing boards may have regulations governing these concerns. If these state laws give more privacy rights to patients/clients than HIPAA, the state laws will ordinarily take precedence.

    It is also important to note that a particular state may not have reduced enforcement of their own standards during the PHE. As a result, The Trust RM Team has been recommending providers use secure and HIPAA compliant platforms despite the OCR enforcement discretion. To the extent possible, it is safer to comply with pre-COVID-19 HIPAA standards, as well as the APA Ethics Code (2017) and state licensing statutes and regulatory requirements.

    We also recommend that you check with your local state licensing board regarding any rules or requirements concerning telehealth treatment.

    As always, if you have any additional questions and are a Trust policyholder, please feel free to schedule a consultation with a Risk Management consultant at 800-477-1200.