Insights & Resources

COVID-19 Resource Center

    Back To COVID-19 Resource Center
    COVID-19 Update: Telehealth – waiver of HIPAA requirements and expanded flexibility

    COVID-19 Update: Telehealth – waiver of HIPAA requirements and expanded flexibility

    On March 17, 2020, the Centers for Medicare and Medicaid Services (CMS) issued new guidance regarding telehealth services to allow greater flexibility of use during the COVID-19 (coronavirus) pandemic.

    To facilitate the provision of telehealth services, the Office of Civil Rights (OCR) issued a notice that it would exercise enforcement discretion and will waive any potential penalties for HIPAA violations against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.

    This HIPAA waiver provides the following significant removal of restrictions

    • The discretion applies to good faith use of any non-public facing remote communication product that is available to communicate with patients for any telehealth treatment or diagnostic purpose.
    • The telehealth services may be for any patient. The services do not have to be directly related to COVID-19.
    • Technology that may be used includes popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype. Use of public facing applications, such as Facebook Live, are not permitted.
    • Providers are encouraged to use technology with vendors willing to enter into business associate agreements. However, OCR notes that penalties will not be imposed for lack of business associate agreement with these technology vendors.
    • Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
    • The notice is effective immediately and is not limited to a 72-hour period after disaster protocol implementation (as are the other HIPAA waivers announced on March 13).

    OCR noted it will be providing further guidance regarding how covered health care providers can use remote video communication products and offer telehealth to patients responsible.

    CMS also released additional guidance on the expansion of telehealth in a FAQ bulletin, highlights of which include: 

    • Covered telehealth services may be provided regardless of patient location (e.g., their homes); there are no setting limitations.
    • Professionals may bill for these services, and Medicare will pay the same amount as if the service was furnished in person. For Medicare telehealth services, the claim should reflect the designated Place of Service (POS) code 02-Telehealth. For those services that have different rates in the office versus the facility (the site of service payment differential), Medicare uses the facility payment rate when services are furnished via telehealth.
    • Health care providers may use additional forms of everyday communications technologies to provide these services (see HIPAA guidance above).
    • An established patient relationship requirement is not required. The Department of Health and Human Services announced it would use its 1135 waiver authority to waive enforcement of any prior relationship requirement. 
    • Services may be provided to any patient. It is not required that these be services for patients being treated for COVID-19.
    Download PDF