HHS Allows HIPAA Compliance Discretion For Telehealth Remote Communications During the COVID-19 Emergency

By Dan Seyer, CMO, Edgile

The need to rapidly pivot from in-person health visits to remote audio/video communications between medical professionals and patients (commonly called telehealth services) due to the COVID-19 pandemic restrictions has raised a number of compliance concerns under the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules). Some of the telehealth technologies being used by health care providers may not fully comply with the HIPAA Rules.

In response to this urgent need, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has issued a notification stating that, “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” This new policy goes into effect immediately.

The enforcement discretion applies to all telehealth medical services, not just those related to the diagnosis and treatment of COVID-19. A covered health care provider may examine a patient exhibiting COVID-19 symptoms using a video chat application in order to assess a greater number of patients while limiting the risk of infection from in-person consultations. The medical professional may also provide similar telehealth services to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation, psychological evaluation, or other conditions.

Covered health care providers may use popular private video chat applications, including Apple FaceTime, Facebook Messenger video chat or Zoom, to provide telehealth services without worrying about penalties for noncompliance with the HIPAA Rules. Providers should enable all available encryption and privacy settings in their application of choice and they are encouraged to notify patients that third-party applications potentially introduce privacy risks.

The notification cautioned that public-facing applications such as Facebook Live, Twitch, TikTok, and others should not be used for telehealth, presumably because these platforms may offer less robust privacy protections.
For additional telehealth protections, covered health care providers should select technology vendors that are HIPAA compliant and have HIPAA business associate agreements (BAAs) for their video communications products. OCR provided the following list of vendors that meet these requirements without expressly endorsing the vendors or their technologies and recognizing that there may be other technology vendors that meet the requirements:

  • Skype for Business/Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings/Webex Teams
  • Amazon Chime
  • GoToMeeting

The OCR will not impose penalties against covered health care providers that choose to use technology without a BAA, or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 public health emergency.
The OCR did not share its rationale on why some technology vendors were deemed acceptable and others weren’t, making it difficult for health care providers to determine how products not on the above list might fare or what factors to consider if a healthcare enterprise wanted to create their own video application. It stands to reason that using a vendor from the OCR’s list may provide more compliance protection for providers under this notification.

If you are choosing to use Microsoft Teams, check out our replay of securing your remote workforce which includes a deep dive of the security architecture that enables Teams.  And the webinar also provides some info on Microsoft-funded security workshops that may be available to your organization.


“If your organization is utilizing telehealth technology, we recommend you conduct a security assessment to identity any potential compliance gaps. For example, if you are using new video apps, are doctors recording and saving HIPAA data on third party cloud servers which may not be covered by the OCR’s current relaxed enforcement stance? By conducting a complete security audit you’ll be in position to enable the business once OCR requires fully HIPAA-compliant telehealth services.”  –Larry Wolf, Edgile Partner