Telehealth and HIPAA’s Notification of Enforcement Discretion


Telehealth was a growing entity before the spread of the coronavirus changed how healthcare providers delivered their services. Once the pandemic took reached its peak, telehealth exploded as a means for patients and providers alike to keep their routine appointments without risking exposure to COVID-19. 

For HIPAA compliancethis threw many providers into a gray area of sorts. In response, the Department of Health and Human Services’ Office of Civil Rights issued a notice that it will allow healthcare providers to use widely available communications software without fear of violating HIPAA, even if the software does not meet the HIPAA privacy and security requirements. This is called the Notification of Enforcement Discretion.  

The notification applies to all HIPAA-covered healthcare providers with no limitation on the patients they serve with telehealth, including those patients that receive Medicare or Medicaid benefits, and those who do not.  

Through the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications, covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification does not affect the application of the HIPAA rules to other area of healthcare outside of telehealth during the pandemic.  

The nonpublic facing remote communication products that qualify for HIPAA’s Notification of Enforcement Discretion scope include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, WhatsApp video chat, Zoom or Skype. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. These platforms also support individual user accounts, logins and passcodes to help limit access and verify participants.  

The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists or upon the expiration date of the declared public health emergency, including any extensions.  

If a covered healthcare provider uses telehealth services during the pandemic and electronic protected health information is intercepted during transmission, OCR will not impose a penalty on the provider for violating the HIPAA Security Rule. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.  

Take the opportunity to bolster your regulatory compliance, especially with HIPAA as telehealth gains traction in the healthcare industry. Contact 2W Tech today to get started with your Cybersecurity Compliance Program and let our IT consultants do the work for you. 

Read More:

Microsoft 365 Phishing Attacks on the Rise

Azure Security Center Helps Keep Your Organization Compliant

Back to IT News