COVID-19 Telehealth Care Considerations — OCR Eases Restrictions

By Thomas J. DeMayo, Principal

As healthcare providers and medical practice groups are forced to transition to virtual continuity of care operations in response to COVID-19, a telehealth program will be key. The Office for Civil Rights (OCR) has recently eased restrictions and released new guidance regarding the compliance considerations when implementing a telehealth strategy.


The good news is that OCR has recognized the need for practices to implement telehealth operations and will not enforce the standard set of HIPAA requirements that typically would be necessary when implementing a telehealth solution.

To simplify the restrictions, OCR has stated that a healthcare provider can use any non-public facing remote communication product. In addition, OCR will not impose penalties for the failure to obtain a Business Associate Agreement (BAA) with the communication provider during this time.

Public Facing (Prohibited) and Non-Public Facing

The OCR provides specific examples of public-facing communications that are prohibited as follows: Facebook Live, Twitch, and TikTok.

The OCR also lists the following vendors that claim to offer a solution that is in alignment with the HIPAA requirements:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet

While the OCR typically will not specify a vendor or product in an effort to remain neutral, given the current crisis, however, they are deviating from their standard approach to provide clarity in their recommendations. In our opinion, this will help support a level of comfort in the solution a provider may choose.


If you are currently exploring a telehealth solution, our recommendation is to select a vendor that offers a HIPAA compliant solution. Keep in mind, however, to expedite the deployment, the execution of the Business Associate Agreement can be deferred to a later time. The reality is, once you ‒ as a provider ‒ implement a telehealth solution, it will likely continue to be a component of your practice after this crisis.

More Information

The official communication from OCR can be found here.

Contact Us

Should you have any questions regarding implementing a telehealth solution or HIPAA compliance, please contact any of the following:

Principal, Cyber Risk Management | 646-449-6353

David Marks, CPA
Partner | 845.565.5400

Christopher J. McCarthy, CPA
Partner | 914.341.7018

Michael Lewensohn
Manager | 914.381.8900