Mon – Fri: 7:00am—5:00pm (PST)
© SBMA 2022 – all rights reserved
With the recent pandemic, many things have changed in regard to healthcare services. One major way healthcare has changed over the last few months is through the expansion of telehealth services. The Office of Civil Rights has recently relaxed the constraints surrounding which video conferencing applications are HIPAA compliant provided that these services are provided in good faith. As OCR relaxed HIPAA enforcement, there have been increases in telehealth services. The article below details how these relaxed regulations have changed the telemedicine world, and why we can expect it to stick post-COVID:
As the COVID-19 pandemic continues to spread across the country, doctors, dentists, therapists, and other healthcare providers have turned to telehealth use with their patients by way of videoconferencing applications such as Zoom, Skype and WebEx. The Office of Civil Rights and the Department of Health and Human Services (“OCR”) defines telehealth as “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.”
There are a number of privacy concerns healthcare providers should consider when utilizing telehealth technology. Generally, healthcare providers providing telehealth services are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, not every videoconferencing application is HIPAA-compliant. HIPAA requires that a healthcare provider who utilizes a vendor to transmit or maintain protected health information, or who utilizes a vendor who has routine access to protected health information (PHI), must have a Business Associate Agreement (BAA) with each vendor.
In light of COVID-19, the OCR recently relaxed its enforcement of HIPAA’s privacy and security rules and issued a notification stating that it will practice “enforcement discretion” regarding HIPAA’s privacy and security rules. The OCR will not impose penalties for noncompliance with HIPAA for healthcare providers’ “good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency”, whether the telehealth services are related to a COVID-19 diagnosis and treatment or not, including for example, “a sprained ankle, dental consultation or psychological evaluation, or other conditions.”
The OCR advises healthcare providers to use public facing videoconferencing applications including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without the risk that the OCR will issue penalties for non-compliance with HIPAA. However, the OCR also specifically disallows the use of certain other public facing video apps such as TikTok, Facebook live, and Twitch to provide telehealth services.
Notwithstanding the OCR’s practice of enforcement discretion, healthcare providers should continue to engage in best practices to safeguard patient data. For example:
1. Consent. Before using video conferencing for medical consultations, request permission from the patient to do so and document their approval in their medical record.
2. BAA. Despite the fact that the OCR will not impose penalties against covered health care providers for the lack of a BAA, the OCR encourages healthcare providers to enter into a BAA with any vendor that provides videoconferencing services, and in its notification provides a list of vendors which represent that they are HIPAA-compliant video conferencing applications that will enter into a HIPAA BAA, including:
3. Encryption. Healthcare providers should enable all available encryption and privacy modes when using the videoconferencing technology.
4. Password Protection. Healthcare providers should create a unique meeting ID and a strong password to access a virtual consultation.
5. Monitor. Healthcare providers should monitor all communications containing PHI. Additionally, healthcare providers should check that both employees and patients are accessing via a secure network connection prior to consultations.
According to analysts at Forrester Research, the adoption of telehealth services has increased dramatically, with virtual healthcare interactions projected to exceed 1 billion by year’s end. While the OCR’s relaxed enforcement of HIPAA during COVID-19 likely will end when the pandemic is brought under control, it appears telehealth services may become the “new normal” for healthcare providers.
Mon – Fri: 7:00am—5:00pm (PST)
© SBMA 2022 – all rights reserved
Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.
These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.
If you do not want that we track your visit to our site you can disable tracking in your browser here:
We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.
Google Webfont Settings:
Google Map Settings:
Google reCaptcha Settings:
Vimeo and Youtube video embeds:
The following cookies are also needed - You can choose if you want to allow them: