COVID-19 Telehealth Care Considerations — OCR Eases Restrictions
By Thomas J. DeMayo, Principal
As healthcare providers and medical practice groups are forced to transition to virtual continuity of care operations in response to COVID-19, a telehealth program will be key. The Office for Civil Rights (OCR) has recently eased restrictions and released new guidance regarding the compliance considerations when implementing a telehealth strategy.
The good news is that OCR has recognized the need for practices to implement telehealth operations and will not enforce the standard set of HIPAA requirements that typically would be necessary when implementing a telehealth solution.
To simplify the restrictions, OCR has stated that a healthcare provider can use any non-public facing remote communication product. In addition, OCR will not impose penalties for the failure to obtain a Business Associate Agreement (BAA) with the communication provider during this time.
Public Facing (Prohibited) and Non-Public Facing
The OCR provides specific examples of public-facing communications that are prohibited as follows: Facebook Live, Twitch, and TikTok.
The OCR also lists the following vendors that claim to offer a solution that is in alignment with the HIPAA requirements:
- Skype for Business / Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
While the OCR typically will not specify a vendor or product in an effort to remain neutral, given the current crisis, however, they are deviating from their standard approach to provide clarity in their recommendations. In our opinion, this will help support a level of comfort in the solution a provider may choose.
If you are currently exploring a telehealth solution, our recommendation is to select a vendor that offers a HIPAA compliant solution. Keep in mind, however, to expedite the deployment, the execution of the Business Associate Agreement can be deferred to a later time. The reality is, once you ‒ as a provider ‒ implement a telehealth solution, it will likely continue to be a component of your practice after this crisis.
The official communication from OCR can be found here.
Should you have any questions regarding implementing a telehealth solution or HIPAA compliance, please contact any of the following:
Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCF
Principal, Cyber Risk Management
firstname.lastname@example.org | 646-449-6353
David Marks, CPA
email@example.com | 845.565.5400
Christopher J. McCarthy, CPA
firstname.lastname@example.org | 914.341.7018
email@example.com | 914.381.8900