[Federal Register Volume 85, Number 77 (Tuesday, April 21, 2020)]
[Rules and Regulations]
[Pages 22024-22025]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-08416]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

45 CFR Parts 160 and 164


Notification of Enforcement Discretion for Telehealth Remote 
Communications During the COVID-19 Nationwide Public Health Emergency

AGENCY: Office of the Secretary, HHS.

ACTION: Notification of enforcement discretion.

-----------------------------------------------------------------------

SUMMARY: This notification is to inform the public that the Department 
of Health and Human Services (HHS) is exercising its discretion in how 
it applies the Privacy, Security, and Breach Notification Rules under 
the Health Insurance Portability and Accountability Act of 1996 
(HIPAA). As a matter of enforcement discretion, the HHS Office for 
Civil Rights (OCR) will not impose penalties for noncompliance with the 
regulatory requirements under the HIPAA rules against covered health 
care providers in connection with the good faith provision of 
telehealth during the COVID-19 nationwide public health emergency.

DATES: The Notification of Enforcement Discretion went into effect on 
March 17, 2020, and will remain in effect until the Secretary of HHS 
declares that the public health emergency no longer exists, or upon the 
expiration date of the declared public health emergency, including any 
extensions, (as determined by 42 U.S.C. 247d),\1\ whichever occurs 
first.
---------------------------------------------------------------------------

    \1\ Public Health Emergency Declaration issued by HHS Secretary, 
pursuant to Section 319 of the Public Health Service Act, on January 
31, 2020, with retroactive effective date of January 27, 2020. For 
more information, see https://www.phe.gov/emergency/news/healthactions/phe/Pages/2019-nCoV.aspx.

FOR FURTHER INFORMATION CONTACT: Rachel Seeger at (202) 619-0403 or 
---------------------------------------------------------------------------
(800) 537-7697 (TDD).

SUPPLEMENTARY INFORMATION: 

I. Background

    The Office for Civil Rights (OCR) at the Department of Health and 
Human Services (HHS) is responsible for enforcing certain regulations 
issued under the Health Insurance Portability and Accountability Act of 
1996 (HIPAA),\2\ as amended by the Health

[[Page 22025]]

Information Technology for Economic and Clinical Health (HITECH) Act, 
to protect the privacy and security of protected health information, 
namely the HIPAA Privacy, Security and Breach Notification Rules (the 
HIPAA Rules).
---------------------------------------------------------------------------

    \2\ Due to the public health emergency posed by COVID-19, the 
HHS Office for Civil Rights (OCR) is exercising its enforcement 
discretion under the conditions outlined herein. We believe that 
this guidance is a statement of agency policy not subject to the 
notice and comment requirements of the Administrative Procedure Act 
(APA). 5 U.S.C. 553(b)(3)(A). OCR additionally finds that, even if 
this guidance were subject to the public participation provisions of 
the APA, prior notice and comment for this guidance is 
impracticable, and there is good cause to issue this guidance 
without prior public comment and without a delayed effective date. 5 
U.S.C. 553(b)(3)(B) & (d)(3).
---------------------------------------------------------------------------

    During the COVID-19 national emergency, which also constitutes a 
nationwide public health emergency, covered health care providers 
subject to the HIPAA Rules may seek to communicate with patients, and 
provide telehealth services, through remote communications 
technologies.
    Some of these technologies, and the manner in which they are used 
by HIPAA covered health care providers, may not fully comply with the 
requirements of the HIPAA Rules. OCR will exercise its enforcement 
discretion and will not impose penalties for noncompliance with the 
regulatory requirements under the HIPAA Rules against covered health 
care providers in connection with the good faith provision of 
telehealth during the COVID-19 nationwide public health emergency.
    A covered health care provider that wants to use audio or video 
communication technology to provide telehealth to patients during the 
COVID-19 nationwide public health emergency can use any non-public 
facing remote communication product that is available to communicate 
with patients. OCR is exercising its enforcement discretion to not 
impose penalties for noncompliance with the HIPAA Rules in connection 
with the good faith provision of telehealth using such non-public 
facing audio or video communication products during the COVID-19 
nationwide public health emergency. This exercise of discretion applies 
to telehealth provided for any reason, regardless of whether the 
telehealth service is related to the diagnosis and treatment of health 
conditions related to COVID-19.
    For example, a covered health care provider in the exercise of 
their professional judgement may request to examine a patient 
exhibiting COVID-19 symptoms, using a video chat application connecting 
the provider's or patient's phone or desktop computer in order to 
assess a greater number of patients while limiting the risk of 
infection of other persons who would be exposed from an in-person 
consultation. Likewise, a covered health care provider may provide 
similar telehealth services in the exercise of their professional 
judgment to assess or treat any other medical condition, even if not 
related to COVID-19, such as a sprained ankle, dental consultation or 
psychological evaluation, or other conditions.
    Under this Notification, covered health care providers may use 
popular applications that allow for video chats, including Apple 
FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, 
or Skype, to provide telehealth without risk that OCR might seek to 
impose a penalty for noncompliance with the HIPAA Rules related to the 
good faith provision of telehealth during the COVID-19 nationwide 
public health emergency. Providers are encouraged to notify patients 
that these third-party applications potentially introduce privacy 
risks, and providers should enable all available encryption and privacy 
modes when using such applications.
    Under this notification, however, Facebook Live, Twitch, TikTok, 
and similar video communication applications are public facing, and 
should not be used in the provision of telehealth by covered health 
care providers.
    Covered health care providers that seek additional privacy 
protections for telehealth while using video communication products 
should provide such services through technology vendors that are HIPAA 
compliant and will enter into HIPAA business associate agreements 
(BAAs) in connection with the provision of their video communication 
products. The list below includes some vendors that represent that they 
provide HIPAA-compliant video communication products and that they will 
enter into a HIPAA BAA.
     Skype for Business I Microsoft Teams
     Updox
     VSee
     Zoom for Healthcare
     Doxy.me
     Google G Suite Hangouts Meet
     Cisco Webex Meetings I Webex Teams
     Amazon Chime
     GoToMeeting
     Spruce Health Care Messenger
    OCR has not reviewed the BAAs offered by these vendors, and this 
list does not constitute an endorsement, certification, or 
recommendation of specific technology, software, applications, or 
products. There may be other technology vendors that offer HIPAA-
compliant video communication products that will enter into a HIPAA BAA 
with a covered entity. Further, OCR does not endorse any of the 
applications that allow for video chats listed above.
    Under this noticfication, however, OCR will not impose penalties 
against covered health care providers for the lack of a BAA with video 
communication vendors or any other noncompliance with the HIPAA Rules 
that relates to the good faith provision of telehealth services during 
the COVID-19 nationwide public health emergency.

III. Collection of Information Requirements

    This notice of enforcement discretion creates no legal obligations 
and no legal rights. Because this notice imposes no information 
collection requirements, it need not be reviewed by the Office of 
Management and Budget under the Paperwork Reduction Act of 1995 (44 
U.S.C. 3501 et seq.).

    Dated: April 2, 2020.
Roger T. Severino,
Director, Office for Civil Rights Department of Health and Human 
Services.
[FR Doc. 2020-08416 Filed 4-20-20; 8:45 am]
 BILLING CODE 4153-01-P