On March 20, 2020 OCR released a Frequently Asked Questions list to help further clarify its March 17th Waiver. In the FAQ, OCR clarifies that the waiver not only allows providers to utilize platforms that do not comply with the requirements of the Security Rule (discussed in our original post), but it also applies to the Breach Notification and Privacy Rules that may be implicated when using a less secure platform. OCR also assures providers that if protected health information is intercepted and during the the “good faith provision of telehealth,” OCR will not pursue otherwise applicable penalties.
Also noted in our prior post, to benefit from the waiver providers must be engaged in the “good faith provision of telehealth during the COVID-19 nationwide public health emergency.” Accordingly, providers that OCR determines are not providing telehealth services in good faith could be prosecuted. While this determination is made in light of all the facts and circumstances, OCR provides examples where it would likely not find the provider was acting in good faith. These “bad faith” examples include: (i) using the platform to further an illegal act, (ii) further disclosing patient health information in violation of the Privacy Rule (e.g. using it for marketing without the patient’s prior authorization), (iii) violating state laws when providing the services (e.g. providing services without a license or applicable state waiver), and (iv) using a public facing platform to communicate with patients (e.g. TikTok or public chat room). In sum, while the waiver gives healthcare providers the opportunity to continue to serve their patients during this outbreak, it should not be treated as a completely “free pass” and providers should be aware of its limits. If you have any questions, please contact one of our healthcare or privacy attorneys.
Review the full FAQ.