top of page
Writer's pictureVanessa Higgins

HIPAA Violations

Updated: Jun 13, 2020


The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing the privacy and security rules of HIPAA. Due to the COVID-19 national emergency (also a nationwide public health emergency) OCR will not impose penalties for noncompliance for use of unapproved telehealth remote communication products.


The OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.

The OCR goes on to further state that providers may use any non-public facing remote communication product.


OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

OCR listed the following as acceptable for provider use:


  • Apple FaceTime

  • Facebook Messenger video chat

  • Google Hangouts video

  • Skype


Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Providers SHOULD NOT use:


  • NO Facebook Live

  • NO Twitch

  • NO TikTok

  • or similar video communication applications are public facing


The OCR provided a list of vendors that will sign a BAA with providers:


  • Skype for Business / Microsoft Teams

  • Updox

  • VSee

  • Zoom for Healthcare

  • Doxy.me

  • Google G Suite Hangouts Meet

  • Cisco Webex Meetings / Webex Teams

  • Amazon Chime

  • GoToMeeting


See the full article here:


26 views0 comments

Kommentarer


bottom of page