Text Size Small Medium Large


Board of Psychology Advisory on Telehealth and HIPAA During the COVID-19 Public Health Emergency

U.S Department of Health and Human Services Notification

In March the Office of Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), issued a Notification of Enforcement Discretion (Notification) addressing telehealth remote communications. That Notification stated that, during the COVID-19 public health emergency, health care providers subject to HIPAA may seek to communicate with and provide telehealth services to patients through remote communications technologies, some of which may not be fully HIPAA compliant. The Notification stated that it would exercise discretion and not impose penalties for noncompliance with HIPAA requirements against covered health care providers in connection with the good faith provision of telehealth during this public health emergency.

California Executive Order

On April 3, 2020, Governor Gavin Newsom issued Executive Order (EO) N-43-20 that said where telehealth services were provided by a covered health care provider, those services had to be consistent with the OCR Notification. No other requirements were imposed, except that to the extent possible providers “shall” use the measures that the Notification encourages. In addition, violations of the certain state code sections regarding unauthorized disclosures of personal health information resulting from the good faith provision of services via telehealth is not considered unprofessional conduct.

Therefore, if you are a covered health care provider subject to HIPAA, your delivery of psychological services via telehealth is not required to be HIPAA compliant, but must be consistent with the Notification, and you must give due consideration to the measures encouraged by the Notification to safeguard patient privacy and endeavor to adopt them.

The Notification specified the following:

  • Acceptable technologies. A provider who wants to use audio or video communication technology to provide services via telehealth can use any “non-public facing remote communication product” that is available to communicate with patients. Specifically, you may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype.
    • Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
  • Prohibited technologies. Video communication applications that are public facing should not be used in the provision of telehealth, such as Facebook Live, Twitch, and TikTok.
  • If you want additional protections. Providers that want additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. The Notification includes a list of some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA. Some examples they provide (but do not endorse) are: Skype for Business; Updox; VSee; Zoom for Healthcare; Doxy.me; Google G Suite Hangouts Meet.
  • The Notification only applies to "covered health care providers."
  • To view the Notification, visit telehealth.hhs.gov. On the homepage follow the link to Policy Changes during COVID-19 under the For Providers section.

    As part of their FAQs, OCR also recommends the following measures:

  • Locations. OCR expects that providers will ordinarily conduct telehealth in private settings, such as in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances.
  • Other reasonable measures. If services cannot be provided in a private setting, providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI). Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.
  • To view the link to the HHS FAQs, go to https://www.hhs.gov/hipaa/for-professionals/faq/telehealth/index.html

    Lastly, licensees are reminded that they must comply with any other laws and regulations that apply to telehealth and are still in effect.