Federal and state governments are relaxing regulatory barriers to the use of telehealth in light of the COVID-19 public health emergency, as noted in our alert dated March 19, 2020. Agencies continue to provide additional guidance to assist healthcare providers with a smooth transition to telehealth, to the extent medically appropriate, to stem the spread of COVID-19.
On March 20, OCR released additional guidance in the form of FAQs providing more detail on its nonenforcement policy regarding telehealth services. In addition, SAMHSA released guidance on the use of telehealth by Part 2 programs to provide substance abuse treatment during the COVID-19 emergency. A summary of the key points highlighted in the OCR and SAMHSA guidance is provided below.
OCR: FAQs on Telehealth and HIPAA during the COVID-19 Public Health Emergency
OCR clarified the following in its FAQs:
- Its nonenforcement policy applies only to healthcare providers subject to HIPAA who are providing telehealth services (for both COVID-19 and non-COVID-19 purposes) in good faith. The policy does not extend to other covered entities, such as health insurance companies paying for telehealth.
- While the nonenforcement policy applies to violations of HIPAA's Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth services, it does not affect the application of the HIPAA Rules to other areas of healthcare outside of telehealth during the emergency.
- If a healthcare provider uses video communication, OCR encourages but does not require the provider to use vendors familiar with the HIPAA Security Rule. Most commonly available, non-public-facing remote communication products provide end-to-end encryption and support individual user accounts, logins, and passcodes to help limit access and verify participants. To the extent possible, however, OCR encourages the use of a vendor that provides assurances that it will protect PHI pursuant to a business associate agreement and employs stronger security capabilities.
- A healthcare provider should always use private locations when providing telehealth services. If the provider is using a product without a business associate agreement in place, the provider should (but is not required to) notify the patients that the use of such product introduces privacy risks.
- There is no waiver of the notification requirements under the HIPAA Breach Notification Rule. A healthcare provider must report a breach as required by the Breach Notification Rule if PHI is intercepted during a telehealth visit. OCR will consider all facts and circumstances when determining whether the provider was acting in good faith while delivering telehealth services during the COVID-19 public health emergency, including whether the provider was following the terms of the FAQs.
- Examples of bad faith delivery of telehealth services include violations of state licensing laws or professional ethical standards that result in documented disciplinary actions related to the treatment offered via telehealth and the use of public-facing remote communication products.
SAMHSA: Considerations for the Care and Treatment of Substance Use Disorders during the COVID-19 Public Health Emergency
In its guidance, SAMHSA strongly recommends the use of telehealth and/or telephonic services to evaluate and treat patients during the COVID-19 public health emergency. For example, SAMHSA promotes the use of telehealth for initial evaluations, including those for the consideration of the use of buprenorphine products to treat opioid use disorder. Additionally, SAMHSA recommends the use of telehealth services for individual or group therapies, including cognitive behavioral therapies for mental and substance use disorders.
SAMHSA further recognizes that providers may not be able to obtain written patient consent for the disclosure of substance use disorder records while providing services via telehealth. Importantly, SAMHSA also reminds providers that they may use and disclose a patient's information in a medical emergency—even without the patient's written consent. If this exception to patient consent is used, the provider must remember to capture certain information in the patient's record, including the name of the medical personnel to whom the disclosure was made.
If you have any questions regarding this client alert, or if you would like assistance with your organization's response to the COVID-19 national health emergency, please contact a member of Venable's Healthcare Practice Group.