OCR: Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency; OCR: FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency; CMS: FAQs on Availability and Usage of Telehealth Services through Private Health Insurance Coverage in Response to Coronavirus Disease 2019 (COVID-19) (March 24, 2020)
HHS’s Office for Civil Rights (OCR) has announced that it will not impose certain HIPAA penalties against health care providers using telehealth communications in good faith during the COVID-19 nationwide public health emergency. (Separately, OCR has waived certain provisions of the HIPAA privacy rule for covered hospitals and summarized existing HIPAA use and disclosure rules applicable to all covered entities in emergency situations.) In FAQ guidance, OCR explains that this enforcement relief applies to all services that covered health care providers, in their professional judgment, believe can be provided through telehealth during the COVID-19 emergency. These services include diagnosis or treatment of both COVID-19-related conditions, such as taking a patient’s temperature or other vitals remotely, and non-COVID-19-related conditions, such as review of physical therapy practices, mental health counseling, or adjustment of prescriptions.
Providers are not considered to be providing telehealth services in good faith if, for example, they further use or disclose protected health information (PHI) transmitted during a telehealth communication in ways prohibited by the HIPAA privacy rule; violate state licensing laws or professional ethical standards relating to telehealth treatments; or use public-facing remote communication products such as TikTok, Facebook Live, or other products designed to allow wide or indiscriminate access. Conversely, while not endorsing any particular product, OCR notes that providers may satisfy the good faith standard by using non-public-facing remote communication products such as Apple FaceTime, Facebook Messenger video chat, certain texting applications, and other products that allow only the intended parties to participate in the communication. OCR observes that the acceptable products typically employ end-to-end encryption; support individual user accounts, logins, and passwords; and allow users to assert control over features such as recording or muting the communication and turning off the video or audio signal.
Although OCR’s enforcement relief does not apply to health insurers (or, by implication, to self-insured health plans), CMS has issued separate guidance encouraging insurers to promote the use of telehealth services—for example, by notifying policyholders and beneficiaries of their availability, ensuring access to a robust suite of telehealth services (including mental health and substance use disorder services), and covering telehealth services without cost-sharing or other medical management requirements. As an exception to the general prohibition on midyear coverage modifications, CMS further announced that it will not take enforcement action against health insurers that amend group or individual products midyear to provide greater coverage for telehealth services or to reduce or eliminate cost-sharing requirements for telehealth services, even if the telehealth services covered by the change are not related to COVID-19. CMS will continue to take enforcement action against health insurers that attempt to limit or eliminate other benefits to offset the costs of more generous telehealth benefits. The CMS guidance does not apply to self-insured ERISA plans, which are under the DOL’s jurisdiction (and are not subject to the ban on midyear modifications).
EBIA Comment: In addition to HIPAA privacy and security considerations, telehealth raises compliance issues under other federal and state laws. CMS encourages states to consider relaxing state laws to support efforts by insurers (and, by extension, all health plans) to increase access to telehealth services. Health plans also face numerous issues when incorporating telehealth into their covered benefits, including HIPAA business associate contracts and the impact of telehealth on HSA eligibility—an issue that is on the regulators’ radar (see our Checkpoint article). Employers adjusting to increased numbers of remote workers may be interested in establishing or expanding telehealth capabilities under their health plans. Setting up a compliant telehealth program requires substantial expertise, and while these agency actions are welcome, they represent small pieces in a complex equation. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Section XXIII.O (“HIPAA Privacy and Security Issues for Health Plans Incorporating Telemedicine”). See also EBIA’s Self-Insured Health Plans manual at Section XI.E.5 (“Telemedicine”).
Contributing Editors: EBIA Staff.