Audrey Davis and Andrew Kuder, Associates in the Health Care and Life Sciences practice, in the firm’s Washington, DC, and Newark offices, respectively, were featured in a Q&A discussion in TCI SuperCoder, titled “Keep a Grip on HIPAA Compliance.” (Read the full version – subscription required.)

Following is an excerpt:

If you’re stumped by the regulatory nuances associated with the Medicare telehealth expansion or the subsequent HIPAA notification of enforcement discretion, you’re not alone. Many healthcare providers are confused by the endless policy revisions and fuzzy timelines to address the public health emergency (PHE). …

In coordination with the Medicare telehealth expansion, the HHS Office for Civil Rights (OCR) issued a HIPAA notification of enforcement discretion. The agency announced it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” OCR said.

Under these eased standards, providers are allowed to utilize non-public-facing technologies like FaceTime and Skype in “good faith” for telehealth visits; however, public-facing technologies like TikTok and Facebook Live, which are not private and can lead easily to the loss of protected health information (PHI), are not permitted. …

“OCR [also] noted in its FAQs that many platforms employ end-to-end encryption and limit access to authorized participants,” explain attorneys Audrey Davis and Andrew Kuder with national law firm Epstein, Becker & Green PC. “In other words, OCR seems to be comfortable enough with the protections offered by these technologies for the time being.”

Davis and Kuder add, “However, it’s unclear if OCR will remain comfortable in the long-term, as it’s too soon to determine the waiver’s risk to patient privacy and security.” …

The enforcement discretion only works for covered providers if they’re abiding in “good faith” by the OCR’s guidelines. Practitioners should try to keep in line with these provisions.

Davis and Kuder advise covered providers to take the following actions:

  • Utilize clinical expertise: Exercise professional judgment on a case-by-case basis as to whether telehealth is appropriate for the specific patient under their specific circumstances.
  • Manage apps: If use of HIPAA-compliant technology is not possible, use a technology platform included in OCR’s list of “non-public facing” remote communication products in its published FAQs (and, similarly, avoid those technologies OCR identifies as unacceptable).
  • Explain the risks: At the beginning of the service, inform the patient of the privacy risks associated with use of the relevant technology.
  • Implement IT: If the technology offers any encryption or enhanced privacy settings, ensure those settings are enabled.
  • Find a private place: Render telehealth services from private locations and ask that patients locate themselves in a private setting if possible. If the patient cannot be in a completely private location, the provider should speak in a lowered voice and ask that the patient do the same (or ask if the patient would rather reschedule).
  • Know states’ laws upfront: Ensure that you are not violating any state licensing laws if rendering services to a patient located in another state. While some of these laws may currently be waived, it is important to check for updated information from the relevant state licensing board prior to rendering services to someone located in another state.
Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.