April 28, 2020

HIPAA Enforcement Discretion Possible for Telehealth Services

The federal government continues to give doctors more temporary flexibility during the COVID-19 pandemic.

American College of Radiology® members may offer telehealth services to patients without incurring legal risk for violating privacy standards in the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

HIPAA’s primary regulator, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), will exercise discretion in enforcing the HIPAA rules against radiologists and other providers who use certain technologies such as FaceTime or Skype to interact virtually with patients (in good faith).

This relaxed enforcement will apply, for instance, if members provide telehealth services to a patient who manifests COVID-19 symptoms or who may diagnose or treat other medical conditions unrelated to COVID-19.

Notably, the OCR will impose no penalties if they have no business associate agreement with video communication vendors.

However, members should advise patients that they are communicating via technologies that might present privacy risks.

When using those applications for telehealth purposes, members should use all available encryption and related privacy modes.