Telehealth FAQ for Health Centers
Below are some frequently asked questions regarding telehealth related to the recent changes due to the COVID-19 emergency. More information about patient privacy compliance can be found at https://www.hhs.gov/hipaa/for-professionals/faq/telehealth/index.html.
Not seeing your question here? Submit it now.
According to The Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS), telehealth is the use of electronic information and telecommunications technologies to support and encourage long-distance clinical health care, patient and professional health-related education, and public health and health administration. Techniques for telehealth include web conferencing, the internet, store- and-forward imaging, streaming media, and landline and wireless communications.
Telehealth services may be provided, for example, through audio, text messaging, or video communication technology, including video conferencing software.
Telehealth is different from telemedicine because it refers to a broader range of remote healthcare services than telemedicine. Telemedicine refers explicitly to remote clinical services. Telehealth includes remote non-clinical services, such as provider training, administrative meetings, and continuing medical education, in addition to clinical services.
The Office for Civil Rights (OCR) expects healthcare providers will provide telehealth services in private settings, such as a provider in a clinic or office. Providers should always use private locations and patients should not receive telehealth services in public settings unless the patient gives consent or due to urgent circumstances.
If telehealth cannot take place in a private setting, covered health care providers should continue to follow reasonable HIPAA safeguards. Some examples of these precautions include using lowered voices, no speakerphone, or asking the patient to move to a more private location when discussing Protected Health Information (PHI).
Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
According to the U.S. Department of Health & Human Services (HHS), covered health care providers will not face any penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules as long as they occur in good faith while providing telehealth services during the COVID-19 nationwide public health emergency.
What may constitute bad faith in the provision of telehealth by a covered health care provider, which would not be covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
The following is taken directly from the U.S. Dept of Health & Human Services (HHS):
OCR would consider all facts and circumstances when determining whether a health care provider’s use of telehealth services is provided in good faith and thereby covered by the Notice. Some examples of what OCR may consider a bad faith provision of telehealth services that is not covered by this Notice include:
- Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
- Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
- Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board); or
- Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
A “non-public facing” remote communication product is one that allows only the intended parties (provider and patient) to participate in the healthcare visit.
These products include platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Similar texting products include Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage. Typically, these platforms would have end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants.
Platforms such as TikTok, Facebook Live, Twitch, or a chat room like Slack and they are NOT acceptable forms of remote communication because they are open to the public.