HHS OCR: New HIPAA Guidance to Support e-Consults image

Practices that haven’t contracted with a telehealth platform may still be able to provide virtual consults using standard telecommunications technologies throughout the COVID-19 pandemic. 

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) says that the COVID-19 national emergency constitutes a nationwide public health emergency. OCR says it “will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”  

OCR says that covered entities, “can use any non-public facing remote communication product that is available to communicate with patients…This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”

Under this new, temporary guidance, OCR says platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype are acceptable, while Facebook Live, Twitch, TikTok, and similar video communication applications that are public facing are not.

Alissa Smith, a partner at the international law firm Dorsey & Whitney and co-chair of its Health Transactions and Regulations Practice Group, says the announcement is, “very welcomed by the provider community…Providers have been anxiously seeking guidance from the Office for Civil Rights that will allow them easier access to treat patients and an easier and faster ability to communicate with colleagues outside of their own health system in order to make real time/rapid differential diagnosis communications, including sharing data and images with peers.  The OCR’s guidance today makes sense and will improve patient care.”

Ms. Smith notes that HIPAA waivers have been made available to health care providers. "First, the Secretary of the Department of Health and Human Services (HHS) has issued limited HIPAA waivers to hospitals.  The waivers are retroactive to March 15, 2020.  See the HHS HIPAA waiver document here.  We addressed the possibility of these waivers in our earlier post, available here, along with a summary of some of the main HIPAA laws already in place which may be helpful to covered entities and business associates during this time of national and public health emergency," Ms. Smith says. 

"The HIPAA waiver document starts by reminding covered entities and their business associates that, in general, the HIPAA rules are not suspended during this time of a national and public health emergency,” Ms. Smith adds. “In particular, addressing a topic of much discussion among providers, the guidance includes a reminder that the HIPAA security safeguards rules (mandating reasonable administrative, technical and physical safeguards) apply to uses and disclosures of electronic protected health information as always.  This statement is a reminder to health care providers of their obligations to use appropriate safeguards when using or disclosing protected health information.”

Ms. Smith says the OCR announcement of enforcement discretion, “is particularly refreshing for health care providers who have been anxiously seeking easier methods, such as the use of personal devices and specific technologies, to interact via audio and/or video technologies with their patients and colleagues.” But she offers some words of caution.

"The OCR encourages providers to notify their patients that these third-party applications potentially introduce privacy risks," Ms. Smith says.  "Providers should also take as many security precautions as possible to protect patient information such as enabling ‘all available encryption and privacy modes when using such applications,’ and having these conversations in private spaces to avoid others who are not involved in the patient’s care overhearing the communication. 

"Further, even if a provider is using ‘everyday communications technologies,’ providers should take care to record the interactions in the patient’s medical record to ensure that patients’ records are complete and accurate," 


OCR has published a bulletin advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies at https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf - PDF.

Guidance on BAAs, including sample BAA provisions, is available at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Additional information about HIPAA Security Rule safeguards is available at https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html.

HealthIT.gov has technical assistance on telehealth at https://www.healthit.gov/telehealth.