[Federal Register Volume 85, Number 77 (Tuesday, April 21, 2020)]
[Rules and Regulations]
[Pages 22024-22025]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-08416]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
45 CFR Parts 160 and 164
Notification of Enforcement Discretion for Telehealth Remote
Communications During the COVID-19 Nationwide Public Health Emergency
AGENCY: Office of the Secretary, HHS.
ACTION: Notification of enforcement discretion.
-----------------------------------------------------------------------
SUMMARY: This notification is to inform the public that the Department
of Health and Human Services (HHS) is exercising its discretion in how
it applies the Privacy, Security, and Breach Notification Rules under
the Health Insurance Portability and Accountability Act of 1996
(HIPAA). As a matter of enforcement discretion, the HHS Office for
Civil Rights (OCR) will not impose penalties for noncompliance with the
regulatory requirements under the HIPAA rules against covered health
care providers in connection with the good faith provision of
telehealth during the COVID-19 nationwide public health emergency.
DATES: The Notification of Enforcement Discretion went into effect on
March 17, 2020, and will remain in effect until the Secretary of HHS
declares that the public health emergency no longer exists, or upon the
expiration date of the declared public health emergency, including any
extensions, (as determined by 42 U.S.C. 247d),\1\ whichever occurs
first.
---------------------------------------------------------------------------
\1\ Public Health Emergency Declaration issued by HHS Secretary,
pursuant to Section 319 of the Public Health Service Act, on January
31, 2020, with retroactive effective date of January 27, 2020. For
more information, see https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx.
FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619-0403 or
---------------------------------------------------------------------------
(800) 537-7697 (TDD).
SUPPLEMENTARY INFORMATION:
I. Background
The Office for Civil Rights (OCR) at the Department of Health and
Human Services (HHS) is responsible for enforcing certain regulations
issued under the Health Insurance Portability and Accountability Act of
1996 (HIPAA),\2\ as amended by the Health
[[Page 22025]]
Information Technology for Economic and Clinical Health (HITECH) Act,
to protect the privacy and security of protected health information,
namely the HIPAA Privacy, Security and Breach Notification Rules (the
HIPAA Rules).
---------------------------------------------------------------------------
\2\ Due to the public health emergency posed by COVID-19, the
HHS Office for Civil Rights (OCR) is exercising its enforcement
discretion under the conditions outlined herein. We believe that
this guidance is a statement of agency policy not subject to the
notice and comment requirements of the Administrative Procedure Act
(APA). 5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if
this guidance were subject to the public participation provisions of
the APA, prior notice and comment for this guidance is
impracticable, and there is good cause to issue this guidance
without prior public comment and without a delayed effective date. 5
U.S.C. 553(b)(3)(B) & (d)(3).
---------------------------------------------------------------------------
During the COVID-19 national emergency, which also constitutes a
nationwide public health emergency, covered health care providers
subject to the HIPAA Rules may seek to communicate with patients, and
provide telehealth services, through remote communications
technologies.
Some of these technologies, and the manner in which they are used
by HIPAA covered health care providers, may not fully comply with the
requirements of the HIPAA Rules. OCR will exercise its enforcement
discretion and will not impose penalties for noncompliance with the
regulatory requirements under the HIPAA Rules against covered health
care providers in connection with the good faith provision of
telehealth during the COVID-19 nationwide public health emergency.
A covered health care provider that wants to use audio or video
communication technology to provide telehealth to patients during the
COVID-19 nationwide public health emergency can use any non-public
facing remote communication product that is available to communicate
with patients. OCR is exercising its enforcement discretion to not
impose penalties for noncompliance with the HIPAA Rules in connection
with the good faith provision of telehealth using such non-public
facing audio or video communication products during the COVID-19
nationwide public health emergency. This exercise of discretion applies
to telehealth provided for any reason, regardless of whether the
telehealth service is related to the diagnosis and treatment of health
conditions related to COVID-19.
For example, a covered health care provider in the exercise of
their professional judgement may request to examine a patient
exhibiting COVID-19 symptoms, using a video chat application connecting
the provider's or patient's phone or desktop computer in order to
assess a greater number of patients while limiting the risk of
infection of other persons who would be exposed from an in-person
consultation. Likewise, a covered health care provider may provide
similar telehealth services in the exercise of their professional
judgment to assess or treat any other medical condition, even if not
related to COVID-19, such as a sprained ankle, dental consultation or
psychological evaluation, or other conditions.
Under this Notification, covered health care providers may use
popular applications that allow for video chats, including Apple
FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom,
or Skype, to provide telehealth without risk that OCR might seek to
impose a penalty for noncompliance with the HIPAA Rules related to the
good faith provision of telehealth during the COVID-19 nationwide
public health emergency. Providers are encouraged to notify patients
that these third-party applications potentially introduce privacy
risks, and providers should enable all available encryption and privacy
modes when using such applications.
Under this notification, however, Facebook Live, Twitch, TikTok,
and similar video communication applications are public facing, and
should not be used in the provision of telehealth by covered health
care providers.
Covered health care providers that seek additional privacy
protections for telehealth while using video communication products
should provide such services through technology vendors that are HIPAA
compliant and will enter into HIPAA business associate agreements
(BAAs) in connection with the provision of their video communication
products. The list below includes some vendors that represent that they
provide HIPAA-compliant video communication products and that they will
enter into a HIPAA BAA.
Skype for Business I Microsoft Teams
Updox
VSee
Zoom for Healthcare
Doxy.me
Google G Suite Hangouts Meet
Cisco Webex Meetings I Webex Teams
Amazon Chime
GoToMeeting
Spruce Health Care Messenger
OCR has not reviewed the BAAs offered by these vendors, and this
list does not constitute an endorsement, certification, or
recommendation of specific technology, software, applications, or
products. There may be other technology vendors that offer HIPAA-
compliant video communication products that will enter into a HIPAA BAA
with a covered entity. Further, OCR does not endorse any of the
applications that allow for video chats listed above.
Under this noticfication, however, OCR will not impose penalties
against covered health care providers for the lack of a BAA with video
communication vendors or any other noncompliance with the HIPAA Rules
that relates to the good faith provision of telehealth services during
the COVID-19 nationwide public health emergency.
III. Collection of Information Requirements
This notice of enforcement discretion creates no legal obligations
and no legal rights. Because this notice imposes no information
collection requirements, it need not be reviewed by the Office of
Management and Budget under the Paperwork Reduction Act of 1995 (44
U.S.C. 3501 et seq.).
Dated: April 2, 2020.
Roger T. Severino,
Director, Office for Civil Rights Department of Health and Human
Services.
[FR Doc. 2020-08416 Filed 4-20-20; 8:45 am]
BILLING CODE 4153-01-P