HIPAA Implications


While not addressed in the CARES Act, there are implications to HIPAA that the Office for Civil Rights and the Department of Health and Human Services have addressed in recent days.

Telemedicine HIPAA Changes

  • With the urgent expansion of telemedicine for examination of patients with COVID-19
    symptoms, HHS has relaxed rules around requiring BAAs with companies that provide web
    conferencing. However, this is on the assumption that a good faith effort must be made to
    establish a BAA in the future.
  • If a provider opts to use non-healthcare video chat services, such as Apple FaceTime, Google
    Hangouts, Skype, etc. they must notify their patient there are potential privacy risks and the
    patient must verbally accept that risk.
  • Providers must not use public-facing tools, such as YouTube, Facebook Live, Twitch, and others
    for providing care
  • SHP recommends using tools designed for telehealth, including Doxy.me (which has a free
    version), Zoom for Healthcare, and UDox. These companies will sign a BAA.

COVID-19 HIPAA Flexibilities

OCR put together a bulletin outlining flexibilities with HIPAA disclosures related to COVID-19:

  • Disclosures to public health authorities, agencies, and foreign government agencies involved
    with fighting COVID-19 and persons at risk of spreading or contracting COVID-19.
  • Disclosures to family, friends, and caregivers of those infected with COVID-19
  • Disclosures to the public to prevent a serious and imminent threat
  • Disclosures to the media to inform about COVID-19 patients

Details of these new flexible rules can be found here: https://www.hhs.gov/sites/default/files/february2020-hipaa-and-novel-coronavirus.pdf