On March 17, 2020, the Office for Civil Rights’ (“OCR”) announced that—for the duration of the COVID-19 emergency—it would exercise enforcement discretion and waive any potential penalties for HIPAA violations relating to health care providers’ use of “everyday communications technologies” in the provision of services via telehealth (the “HIPAA Waiver”). This move has resulted in a drastic increase in the number of telehealth encounters. The HIPAA Waiver has enabled many providers to immediately leverage these technologies to render services via telehealth for the first time, without the need to expend significant resources to quickly ramp up a HIPAA-compliant telehealth platform. A summary of the HIPAA Waiver can be found in a recent blog post. While the HIPAA Waiver applies only temporarily, it is likely that the increased reliance on telehealth evidenced over the past three months is here to stay.

The COVID-19 pandemic’s impact on the regulatory landscape of telehealth was the topic of a June 17, 2020 hearing before the Senate Health, Education, Labor & Pensions Committee.  As Chairman Lamar Alexander acknowledged during his opening statement, the health care sector and government “have been forced to cram 10 years’ worth of telehealth experience into just the past three months.” Indeed, this “cramming” has resulted in thirty-one temporary changes to telehealth policy at the federal level. Of these temporary changes, Chairman Alexander included the OCR enforcement discretion / HIPAA waiver as one of the three changes he considers most important. However, of the three changes the Chairman views as most important, he declined to include the enforcement discretion in the temporary changes he believes should be made permanent, and instead called upon his colleagues to consider whether to extend the HIPAA waiver.[1]

While some providers may be eager to see the extension of current the waiver, and even welcome a permanent change to HIPAA, providers should be cognizant of the double standard imposed when seeing patients in-person versus using a virtual platform. For example, providers seeing patients in person will be expected to remain in full compliance with HIPAA, despite being afforded flexibility if using a non-secure telehealth platform. If providers elect to utilize “everyday communications technologies” when rendering services via telehealth, providers must rely on any contractual obligation of the technology vendor to enforce any privacy violations. Consequently, private and potentially sensitive information may be intercepted during transmission. Even if the third parties are not malicious, they may use information they intercept to create products, such as advertisements for consumers. For example, a patient or provider could share information about a diagnosis such as a calcium deficiency, and then for the next few days, all of the internet advertisements the patient is presented with concern calcium supplements (you can imagine how this could grow more concerning in the event of a more serious or private issue, such as mental health, SUDS, sexual health, fertility, ESRD and other sensitive diagnoses and treatments). Although OCR may decide not to impose penalties for violations that occur during good faith provision of telehealth services, a patient whose information was the subject of a HIPAA violation may view a provider as less credible or reputable. Providers must weigh the benefit of providing low cost telehealth services to patients against the potential harm of not working with a HIPAA-compliant telehealth platform and/or losing a patient’s trust.

Another consideration of which providers should be acutely aware is that many state laws regarding privacy, security, and breach notification have not been waived, or will not continue to be waived, during or after the COVID-19 emergency. While some EHR and other provider software platforms may integrate telehealth into their software to allow easy recordkeeping during virtual appointments, providers using a non-integrated telehealth platform should be aware that the same or similar rules apply regarding recordkeeping and data retention for patients. Up-to-date and accurate recordkeeping will ensure a continuity of care and compliance with law, and may have the ancillary effect of promoting accurate billing.

As we (hopefully) transition to a post-pandemic world, providers should be aware of the potential double standard for patient privacy. For many providers, it may be easiest and less costly overall to confront this double regulatory standard by ensuring full “standard” HIPAA compliance across all health care delivery methods. Providers may consider using this time of OCR enforcement discretion to prepare for investment in better technology and to research and vet vendors representing as traditionally HIPAA-compliant. Additional best practices for providers leveraging telehealth technologies during the pandemic include the following:

  • Using vendors that represent that they are HIPAA compliant and that they will enter into a business associate agreement. OCR has prepared a list of such vendors.
  • Asking patients to confirm they are in a private setting.
  • Documenting patient consent to use of non-compliant technology and clearly noting that such use was not inappropriate because of COVID-19.

[1] Telehealth: Lessons from the COVID-19 Pandemic Before the S. Health, Education, Labor & Pensions Comm., 116th Cong. (2020) (statement of Sen. Lamar Alexander, Chairman, S. Comm. on Health, Education, Labor, & Pensions)

https://www.help.senate.gov/imo/media/doc/Alexander Opening Statement Telehealth_Lessons from the COVID-19 Pandemic1.pdf

Back to Health Law Advisor Blog

Search This Blog

Blog Editors


Related Services



Jump to Page


Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.