Telemedicine & HIPAA During COVID-19 and Beyond

Telemedicine & HIPAA During COVID-19 and Beyond

A recent report conducted by the Department of Health and Human Services (HHS) showed a dramatic uptick in telehealth utilization by Medicare beneficiaries. Before COVID-19, Medicare primary care telehealth visits were less than one percent. In April, 43.5% of Medicare primary care visits were telehealth visits. With the Centers for Medicare and Medicaid Services (CMS) planning to expand telehealth benefits in the 2021 Physician Fee Schedule Proposed Rule, one can assume this is a trend that is not going away.

On March 17, 2020, the Office for Civil Rights (OCR) announced the Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 public health emergency (PHE). This allowed the OCR to waive potential penalties for HIPAA violations against healthcare providers that serve patients through everyday communication technologies during the PHE.

COVID-19 Won't Last Forever and Neither will Enforcement Discretion

Even though it may feel like it, the current public health emergency will not last forever, and neither will enforcement discretion. If telehealth services are being provided in your practice, or if you are considering adding telehealth as an option for your patients, you must be compliant. If your practice experiences a potential HIPAA issue that falls under enforcement discretion, it may not be enforceable, but penalties can be applied for other areas of non-compliance. When investigating, the OCR can look at your entire compliance program as it relates to HIPAA. They have stated that they will address areas of "systemic non-compliance" which means you cannot depend on the Notice of Enforcement Discretion to protect all of your HIPAA compliance, or non-compliance if that is the case.

How to Ensure Compliance for Telehealth Beyond COVID

Now is the time to review policies and procedures that relate to telehealth. Consider the following:

  • Ensure that your telehealth vendor is HIPAA compliant and will sign a business associate agreement (BAA).
  • Make sure that all healthcare providers and other members of the workforce involved in providing telehealth services understand which platforms they can use and which ones to avoid.
  • If there are methods of telehealth being used such as email and text messages that involve PHI and the PHI is not encrypted, look into ways to change these processes before enforcement discretion expires.
  • The longer systems are in place, the harder it is to change once the time comes.

For questions about this post or more information about managing compliance in your practice, reach out to the author at