Health and Human Services (HHS) Office for Civil Rights (OCR): Telehealth and HIPPA during COVID-19 Pandemic
Telehealth services may be provided, for example, through audio, text messaging, or video communication technology, including video conferencing software
Provider should be in a private setting, ordinarily in clinic or office (but does not mandate these locations)
Up to provider discretion as to what can reasonably be covered by telehealth
Covered health care providers will not be subject to penalties under HIPAA that occur during good faith provision of telehealth during COVID-19
Good faith: attempting to provide the most timely and accessible care possible
Currently no expiration date; will be announced at a later date
Examples of “bad faith”:
Criminal acts: fraud, identity theft, intentional invasion of privacy
Sale of patient data
Ethical violations
Use of public-facing remote communications such as: TikTok, Facebook Live, Twitch, or public chat room. These provide wide or indiscriminate access to the communications
HHS advocates the use of non-public facing platforms that employ end-to-end encryption
Only an individual and person to whom the individual is communicating to see what is transmitted
Support individual user accounts, logins, and passcodes to limit access and verify participants
Examples of non-public facing products (although none specifically endorsed by OCR):
Providers encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications
