HIPAA & CORONAVIRUS BLOG POST 4―Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency: HIPAA & HITECH Act Blog by Jonathan P. Tomes

Jon Tomes

Roger Severino, the Director of the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) has announced that OCR is “empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

 Consequently, OCR announced that during the COVID-19 national emergency, which is a nationwide public health emergency, covered entities may communicate with patients, and provide telehealth services, through remote communications technologies. Note that this nonenforcement of the HIPAA Security and Privacy Rules would not constitute a waiver of state or federal laws requiring practitioners to be licensed in the state in which they are performing health care services. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.

 Effective immediately, OCR will use its enforcement discretion to not impose penalties for HIPAA in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.  This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

The announcement provided an example of the apparently temporary “blessing” for the use of telemedicine: “a covered health care provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID-19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a covered health care provider may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions.”

 The three attorney/consultants at EMR Legal would suggest however, that this use of discretion not to sanction telemedicine that would otherwise be a HIPAA violation during the period of national emergency does not mean that a covered provider should ignore HIPAA. It also does not mean that, even if HIPAA didn’t exist, the other federal and state laws and medical ethics requirements to protect the security, integrity, availability, and confidentiality of health information would not apply. So you should take whatever steps are doable without compromising the utility of the use of telemedicine in this emergency.

 To that end, the author is attaching his sample telemedicine policy that is normally available only to premium members and those who have purchased his Compliance Guide or Complete Guide to HIPAA Policies and Procedures. The policy will, of course, need to be tailored to your specific situation. As with the work at home policy that I provided in my last blog, I will review your edits at no charge if you email them to me at jon@veteranspress.com.

Telemedicine Security Policy


[Name of organization] has adopted this Telemedicine Security Policy to comply with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as modified by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) (hereinafter HIPAA); the Department of Health and Human Services (“HHS”) security and privacy regulations; and the Joint Commission on Accreditation of Healthcare Organizations (“JCAHO”) accreditation standards, as well as our duty to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. All workforce members of [name of organization] must comply with this policy. Familiarity with the policy and demonstrated competence in the requirements of the policy are an important part of every [name of organization] workforce member’s responsibilities.


This Telemedicine Security Policy is based on the following assumptions:

  • Telemedicine can, in certain instances, provide better, more cost-effective health care than providing health services at one site alone.
  • Use of telemedicine can provide for better and more timely diagnosis and treatment than traditional referrals and consultations by allowing for remotely located physicians to interact live with the patient and his or her providers.
  • Telemedicine can provide additional contact between patients and caregivers, thereby improving their relationship and resulting in better care.
  • Telemedicine carries with it the risks inherent in any transmission of health information, such as loss of data integrity, availability, and confidentiality.
  • Telemedicine may result in the unauthorized practice of medicine in another state or another jurisdiction.


[Name of organization] will practice telemedicine in appropriate cases only in accordance with the law, medical ethics, and accreditation requirements. All personnel involved in telemedicine must take the following actions:

  • Safeguard the privacy and confidentiality of patients involved in telemedicine.
  • Ensure that one patient does not appear in the background or otherwise when another patient’s telemedicine is occurring.
  • Ensure that each patient’s data is removed from the screen when the telemedicine involving that patient has been completed.
  • Safeguard videotapes or other media involved in the telemedicine process.
  • Report any violations of this Telemedicine Security Policy in accordance with [name of organization]’s Report Procedure.


The following elements of [name of organization] must perform the duties listed below.

[Chief of Medical Staff] [other]

 Ensure that the [medical staff bylaws] [other document] detail the requirements for the practice of telemedicine, including guidelines for routine and emergency use of telemedicine.

  • Ensure that the [compliance officer] [outside counsel] [other] reviews telemedicine agreements for legal sufficiency and to ensure that the particular telemedicine arrangement does not constitute the unauthorized practice of medicine.
  • Ensure that the attending physician obtains written informed consent to practice telemedicine. The consent must give the patient all information that will enable the patient to evaluate knowledgeably the options available and the risks inherent in the practice of telemedicine.
  • Ensure that authority to practice telemedicine is appropriately granted in the physician credentialing process.

[Compliance Officer] [Outside Counsel] [other]

  • Review telemedicine agreements/arrangements for legal sufficiency with particular attention to whether such practice of telemedicine would constitute the unauthorized practice of medicine in relevant jurisdictions.
  • Develop, in coordination with the [chief of the medical staff] [other], an informed consent form for telemedicine.

[Organization Administrator] [Office Manager] [other]

Ensure that uses and disclosures in telemedicine are properly reflected in [name of organization]’s Statement of Information Practices.

  • Perform a risk analysis of telemedicine and implement reasonable and appropriate security measures, including a written determination whether encryption is reasonable and appropriate and, if not, whether an equivalent alternate measures is. If neither is reasonable and appropriate, document why not.
  • Ensure that informed consent to practice telemedicine forms are made part of the medical record.
  • Work with [the director of information systems] [other] to ensure that telemedicine communications are secure and protected from breaches of confidentiality.
  • Develop controls to ensure accuracy of input in accordance with [name of organization]’s Formal Mechanism for Processing Records.
  • Ensure that all parties have signed nondisclosure agreements. Because uses and disclosures of individually identifiable health information during telemedicine are for medical consultation or referral, no business associate relationship is formed necessitating a formal business associate contract. Nonetheless, confidentiality/nondisclosure agreements, similar to chain of trust partner agreements when data is transmitted between entities, are necessary.
  • Incorporate telemedicine in the [name of organization] Release of Information Policy to ensure that only authorized disclosures are made.
  • Properly maintain all media, such as videotapes, in accordance with [name of organization]’s Retention Policy.
  • Properly dispose of telemedicine data in accordance with [name of organization]’s Retention and Destruction Policies.
  • Maintain required telemedicine confidentiality documents, such as consents, for not less than six years.

Director of Information Systems

  • Work with the [organization administrator] [other] to ensure that telemedicine communications are secure and protected from breaches of confidentiality.
  • Establish video and image links to the correct location(s).
  • Perform a risk analysis of telemedicine to determine whether encryption or other security measures are necessary and implement necessary security measures.
  • Establish a method to ensure that only authorized persons receive and transmit telemedicine data.
  • Perform necessary telemedicine information asset maintenance.
  • Audit telemedicine for data integrity and for compliance with [name of organization]’s policies and procedures.
  • Test and revise telemedicine procedures.
  • Employ redundant systems to “mirror” tape/monitor so that both referring and consulting facilities have originals of the media.
  • Maintain documentation of telemedicine security measures for not less than six years.


All officers, agents, employees, and other workforce members of [name of organization] must adhere to this policy, and all supervisors are responsible for enforcing this policy. [Name of organization] will not tolerate violations of this policy. Violation of this policy is grounds for disciplinary action, up to and including termination of employment and criminal or professional sanctions in accordance with [name of organization]’s medical information sanction policy and personnel rules and regulations.


______________________________                        ______________________________

Signature of User                                                                        Date


______________________________                        ______________________________

Title of User                                                                                 Printed Name of User


______________________________                        ______________________________

Witness                                                                                         Printed Name of Witness

seo by: k.c. seo