As a follow-up to our previous bulletin highlighting the Notification of Enforcement Discretion (the Notification) issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) regarding the suspension of penalties for HIPAA violations arising from the use of telehealth communication technologies during the COVID-19 nationwide public health emergency, the OCR has now published additional guidance in the form of FAQs. The FAQs clarify that although the OCR intends to suspend penalties for all health care providers that are covered by HIPAA and engage in the good faith provision of telehealth services during the public health emergency, this does not cover health insurance companies that merely pay for telehealth services. The FAQs further note that the Notification applies across all patient populations and to all services that a covered health care provider believes can be provided through telehealth, including diagnosis or treatment. Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules that occur in good faith delivery of telehealth during the COVID-19 nationwide public health emergency. The OCR stressed that its Enforcement Discretion only applies to the HIPAA Rules and will remain in effect until the OCR announces its termination. In addition, the OCR stressed that the Notification does not affect the application of HIPAA rules to other areas of health care outside of telehealth during the national emergency.

OCR also noted that health care providers should still seek private quarters and non-public facing communication products to conduct telehealth communications with patients, and if a private setting is not feasible, implement “reasonable HIPAA safeguards” to limit incidental uses or disclosures of protected health information.

Additionally, the Substance Abuse and Mental Health Services Administration (SAMHSA) released an emergency response stating that the prohibitions on use and disclosure of patient identifying information under 42 C.F.R. Part 2 would not apply if the provider determined that a medical emergency exists, meaning that patient consent is not required to disclose patient identifying information if a health care provider genuinely deems a medical emergency exists.

As the nation continues to respond to the rapidly evolving COVID-19 pandemic, Taft strives to provide regular updates regarding legal developments impacting our clients. Please reach out to us with questions or if we can be of assistance in these unprecedented times.

Please visit our COVID-19 Toolkit for all of Taft’s updates on the coronavirus.