OCR Allows Flexible Telehealth Technology Use During COVID-19 Emergency

COVID-19 Update

Date: March 20, 2020

The Department of Health and Human Services Office for Civil Rights (OCR) has issued a notice confirming that it will exercise its enforcement discretion and will not penalize health care providers for noncompliance with the HIPAA Privacy and Security Rules (HIPAA Rules) in connection with the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. Effective immediately, health care providers may use any available non-public facing remote communication product to communicate with patients, including those that might not fully comply with the HIPAA Rules and that have not previously been permitted in the use of telehealth services.

OCR’s exercise of discretion applies to telehealth services provided for any reason, whether it is related to the diagnosis and treatment of health conditions related to COVID-19 or not. For example, in addition to using telehealth technology to examine a patient exhibiting COVID-19 symptoms, a health care provider may use it to assess or treat patients for any other medical condition, such as a sprained ankle, dental consultation or psychological condition.

Health care providers may now use popular applications used for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth services. They are encouraged, however, to notify patients that these third-party applications potentially introduce privacy risks. Providers should also enable all available encryption and privacy modes when using these applications. OCR will not impose a penalty against a health care provider for the lack of a business associate agreement (BAA) with a video communication vendor during the COVID-19 public health emergency. In addition, OCR notes that Facebook Live, Twitch, TikTok and similar public facing video communication applications should not be used to provide telehealth services.

While it is not required during the emergency, a health care provider seeking additional privacy protections should enlist a technology vendor that provides a HIPAA-compliant product and will enter into a BAA in connection with its use. The vendors offering Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me and Google G Suite Hangouts Meet have represented to OCR that these products are HIPAA-compliant and they will enter into BAAs with health care providers. OCR cautioned that it has not reviewed the BAAs offered by these vendors; that this list does not constitute an endorsement, certification or recommendation of specific products; and that there may be other technology vendors that offer HIPAA-compliant products and will enter into BAAs with health care providers.


For more information, please contact:

Cori R. Haper

Rebeccah C. Raines

Additional Resources

We have assembled a firmwide multidisciplinary task force to address clients’ business and legal concerns and needs related to the COVID-19 pandemic. Please see our COVID-19 Task Force page for additional information and resources.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel. This document may be considered attorney advertising in some jurisdictions.