Social Distancing and Telehealth
Over the last several weeks, HHS Office of Civil Rights (OCR) has issued multiple press releases regarding HIPAA compliance during the COVID-19 crisis, and there is some confusion about these. To eliminate this confusion, please know that these communications from OCR have made only one change to HIPAA – specifically, they will not enforce violations of HIPAA for health care providers who use certain non-HIPAA compliant technologies for telehealth. The rationale is that HIPAA should not get in the way of implementing the necessary social distancing during this public health emergency.
Please review OCR’s HIPAA and COVID-19 page for the complete and unfiltered collection of guidance from HHS. Most of the guidance is simply clarifying HIPAA in the context of COVID-19 and explains rules permitting disclosures for public health purposes (e.g. reporting COVID-19 cases), rules regarding speaking with and notifying family members of a patient’s status, and explanations regarding other COVID-19 situations. The one new item is guidance re: relaxation of HIPAA enforcement for telehealth.
HIPAA Enforcement and Telehealth
The only change to HIPAA is that OCR will curtail HIPAA enforcement for providers who use non-HIPAA compliant methods for social distancing with patients. First of all, HIPAA has always permitted the use of video conferencing, texting, and other capabilities that have required security and compliance features. We know that some agencies have adopted systems for video communications, such as Zoom.
Using this platform as an example, County Boards should ensure that they select the “Zoom for Healthcare” contract, which includes security capabilities required by HIPAA. At a cost of about $20/user/month, this is relatively affordable, is feature rich, and complies with HIPAA requirements.
So is a DD agency’s business, say an SSA’s discussion with a family, “telehealth?”
- HHS defines it as technology to support “clinical health care, patient and professional health-related education.” OCR has relaxed the rules only for “health care providers.”
So does this relaxation of rules apply to DD Boards?
- DD Boards have always had to interpret the HIPAA regulations, designed for doctors and hospitals, in their context. Boards meet the definition of “health care provider.” Reasonable people could disagree whether an SSA’s use of video to communicate with a family was “clinical health care” or “patient health-related education.” Eagle’s opinion is that, during this crisis, a DD agency’s interpretation that it falls under this relaxation of rules is a good faith interpretation that OCR would support.
The guidance further specifies that to qualify under the relaxed rules, the technology used should be “non-public facing,” which include, for example, Apple FaceTime, Facebook Messenger video chat, Google Hangouts Video, WhatsApp video chat, or Skype. It would also include texting apps such as Signal, Jabber, Facebook Messenger, Google Hangouts, WhatsApp, or iMessage.
In contrast, agencies should not use public-facing products, such as TikTok, Facebook Live, Twitch, or Slack. These products are not designed for one-on-one communications, but rather, can broadcast a conversation to the public.
Eagle advises agencies who choose to implement social distancing by using the acceptable, non-public-facing technologies to issue a short, emergency policy and/or procedure to provide the specifics to their staff. Please feel free to call us with any questions that you may have.