The Health Insurance Portability and Accountability Act of 1996 (HIPAA) limits the types of telehealth technologies that covered health care providers may use to provide telehealth services to patients. Those technologies are subject to HIPAA’s strict privacy and security requirements, and often business associate agreements are required with the vendors providing the audio, video, or other technology for the telehealth service. Violations can lead to significant penalties. 

In response to the novel coronavirus (COVID-19) nationwide public health emergency, U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) will temporarily not enforce penalties for using non-HIPAA compliant telehealth technologies when providing telehealth services related to potential COVID-19 exposure or for any other medical condition. 

Providers that want to use video chat or other remote communication technologies during the current emergency period now have more flexibility to use non-HIPAA compliant technologies, even without a business associate agreement in place with the technology vendor. On March 17, 2020, OCR announced a “notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency” (notice). Effective immediately, OCR will not impose penalties under HIPAA in connection with the good faith provision of telehealth services during the COVID-19 national public health emergency. This notice follows HHS’s recent bulletin waiving sanctions and penalties under HIPAA for covered hospitals under certain limited circumstances. 

Under the notice and during the emergency period, OCR will permit HIPAA-covered healthcare providers to communicate with patients and provide telehealth services through remote communication technologies, even if the technologies and how they are used may not be fully HIPAA-compliant. As long as the telehealth service was provided in good faith and meets the requirements of the notice, OCR will not impose penalties for noncompliance with HIPAA. This notice applies broadly to telehealth provided for any reason, regardless of whether the use of the telehealth service is for the diagnosis and treatment of health conditions related to COVID-19. OCR expressly intends to allow providers to exercise their professional judgment to request to examine a patient exhibiting COVID-19 symptoms via telehealth technologies to limit the risk that other patients may be exposed to infection during an in-person consultation. At the same time, OCR is permitting the use of similar telehealth services to assess or treat any other medical condition, even if not related to COVID-19, such as “a sprained ankle, dental consultation or psychological evaluation, or other conditions.” 

Under the notice, OCR will not impose penalties against covered health care providers for the lack of a business associate agreement (BAA) with video communication vendors, or for any other noncompliance with HIPAA that relates to the good faith provision of telehealth services. OCR still encourages covered healthcare providers that seek additional privacy protections for telehealth while using video communication products to provide services through technology vendors that are HIPAA-compliant, and that will enter into BAA in connection with the use of their video communication products. 

While telehealth services provided in compliance with this notice will not be at risk for HIPAA penalties, providers’ communications with patients could still be subject to other federal and state privacy laws. Additionally, even during the current emergency period, providers’ provision of telehealth services and related communications with patients may be subject to such other federal and state laws.