Board of Psychology Advisory on Telehealth and HIPAA During the COVID-19 Public Health Emergency
U.S Department of Health and Human Services Notification
In March the Office of Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), issued a Notification of Enforcement Discretion (Notification) addressing telehealth remote communications. That Notification stated that, during the COVID-19 public health emergency, health care providers subject to HIPAA may seek to communicate with and provide telehealth services to patients through remote communications technologies, some of which may not be fully HIPAA compliant. The Notification stated that it would exercise discretion and not impose penalties for noncompliance with HIPAA requirements against covered health care providers in connection with the good faith provision of telehealth during this public health emergency.
California Executive Order
New Telehealth Information Pursuant to Executive Order N-16-21
The Governor’s new Executive Order, N-16-21, issued on September 27, 2021, does the following:
- Extends the previous Executive Order’s provisions relaxing certain state privacy and security laws for medical providers, which were set to expire on September 30, 2021, through the end of the state of emergency or until the original order is rescinded or modified.
- Rescinds the previous Executive Order’s provision that suspended the requirements specified in Business and Professions Code (BPC) section 2290.5(b).
BPC §2290.5(b) states the following:
- Before the delivery of health care via telehealth, the health care provider initiating the use of telehealth shall inform the patient about the use of telehealth and obtain verbal or written consent from the patient for the use of telehealth as an acceptable mode of delivering health care services and public health. The consent shall be documented.
Licensees utilizing telehealth are again required to obtain consent prior to the delivery of health care via telehealth pursuant to BPC section 2290.5(b). DCA strongly urges review of the applicable statutes and regulations related to telehealth to ensure compliance with the law.
Therefore, if you are a covered health care provider subject to HIPAA, your delivery of psychological services via telehealth is not required to be HIPAA compliant, but must be consistent with the Notification, and you must give due consideration to the measures encouraged by the Notification to safeguard patient privacy and endeavor to adopt them.
The Notification specified the following:
- Acceptable technologies. A provider who wants to use audio or video communication technology to provide services via telehealth can use any “non-public facing remote communication product” that is available to communicate with patients. Specifically, you may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype.
- Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
- Prohibited technologies. Video communication applications that are public facing should not be used in the provision of telehealth, such as Facebook Live, Twitch, and TikTok.
- If you want additional protections. Providers that want additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. The Notification includes a list of some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA. Some examples they provide (but do not endorse) are: Skype for Business; Updox; VSee; Zoom for Healthcare; Doxy.me; Google G Suite Hangouts Meet.
- The Notification only applies to "covered health care providers."
- Locations. OCR expects that providers will ordinarily conduct telehealth in private settings, such as in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances.
- Other reasonable measures. If services cannot be provided in a private setting, providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI). Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.
To view the Notification, visit telehealth.hhs.gov. On the homepage follow the link to Policy Changes during COVID-19 under the For Providers section.
As part of their FAQs, OCR also recommends the following measures:
To view the link to the HHS FAQs, go to https://www.hhs.gov/hipaa/for-professionals/faq/telehealth/index.html
Lastly, licensees are reminded that they must comply with any other laws and regulations that apply to telehealth and are still in effect.