HHS will not penalize telehealth providers for HIPAA violations during coronavirus emergency


On April 21, the Office of Civil Rights within the U.S. Department of Health and Human Services (HHS) issued a final rule announcing that it would not penalize health care providers using telehealth services in good faith during the COVID-19 public health emergency.

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), some telehealth technologies might violate certain privacy rules. The HHS rule is an announcement that the agency is using its enforcement discretion not to penalize providers for violations during the coronavirus crisis.

The final rule encourages health care providers to inform patients that third-party applications might pose privacy risks and instructs providers to use privacy modes when using the following services:
• Skype for Business I Microsoft Teams
• Updox
• VSee
• Zoom for Healthcare
• http://Doxy.meDoxy.me>
• Google G Suite Hangouts Meet
• Cisco Webex Meetings I Webex Teams
• Amazon Chime
• GoToMeeting
• Spruce Health Care Messenger
According to HHS, the final rule will remain in effect until the Secretary of HHS Alex Azar declares that the public health emergency no longer exists or until the passing of the expiration date for the declared public health emergency.

A final rule is a federal administrative regulation that is published in the _Federal Register_ with a scheduled effective date. The published final rule marks the last stage in the rulemaking process and includes information about the rationale for the regulation as well as any necessary responses to public comments.

Additional reading:
U.S. Department of Health and Human Services
Federal Register
Department of Homeland Security v. Regents of the University of California
The Administrative State Project

Click here to read the HHS rule.