HIPPA Privacy Enforcement Suspended During COVID-19


Amidst the worldwide COVID-19 pandemic, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is allowing healthcare providers to use technology that is non-HIPPA compliant.

HIPPA is the federal Health Insurance Portability and Accountability Act.  HIPPA regulations protect patients from having their private information disclosed by health care providers, or treated in a manner that puts the information at risk of being disclosed.

On Tuesday, March 17, 2020, the OCR announced, effective immediately, that it will exercise its “enforcement discretion” by not imposing penalties against healthcare providers for HIPAA-violations in certain telehealth circumstances.  Telehealth is the provision of medical services via remote methods, such as telephone or videochat. OCR will not impose penalties for HIPAA violations in the use of telehealth services, but only when used in good faith for treatment or diagnostic purpose. The service does not have to be directly related to COVID-19.  The healthcare provider may use a “non-public facing” (not available for public access) remote communication product if they would like to use audio or video communication technology.

Under the OCR’s notice, popular videochat apps such as the following may be used for telehealth, though they may violate HIPAA rules:

  • Apple FaceTime,
  • Facebook Messenger Video Chat,
  • Google Hangouts video,
  • Skype, or
  • Zoom

However, healthcare providers may not use:

  • Facebook Live
  • Twitch
  • TikTok
  • Or similar video communication apps that are “public facing”

Notwithstanding the relaxed rules, there are several vendors that represent they can provide healthcare video communication products through a HIPPA-compliant business association agreement. Some of these vendors are:

  • Skype for Business/Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings/Webex Teams
  • Amazon Chime
  • GoToMeeting

Allowing healthcare providers to continue to examine patients during the COVID-19 crisis, while limiting the risks of in-person exposure is a noble goal.  The obvious negative is that many of third-party communication apps, including those referenced by the OCR, pose privacy risks to the patient.  For the vast majority of us, the COVID-19 crisis will be over in due time.  But our personally-identifying information, such as our names, addresses, and social security numbers, is a lot more difficult to change. 

In our opinion, if a healthcare provider intends to utilize a non-HIPPA complaint communication vendor or application, that should be disclosed to the patient and their consent should be obtained – at a minimum. The patient should be informed prior to consenting that using the service may put their private information at risk.  The healthcare provider should take reasonable steps, no matter what particular service is being used, to enable available encryption and privacy protection settings, if available.  HIPAA-complaint vendors and technology should be the clinician’s first choice.

Find the OCR’s Notice here:  https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html

For additional information: https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf