What is the effect of HHS waiving HIPAA fines?
On March 17, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights gave notice that during the COVID-19 emergency it will waive penalties for HIPAA violations by providers in connection with the “good faith” provision of telehealth.
The notice specifically mentions not enforcing the requirement that practitioners have a Business Associate Agreement (BAA) with a telehealth videoconferencing platform vendor. (For more on BAAs, see The Nuts and Bolts of Business Associate Agreements (PDF, 282KB).
However, the notice is vague about what other HIPAA provisions related to telehealth HHS won’t enforce.
Despite this notice, APA recommends that practitioners use a telehealth platform vendor that will sign a BAA and that claims to be HIPAA compliant. Here’s why:
- The notice still recommends doing so to better protect patient privacy. It also lists several such vendors.
- Using a HIPAA-compliant vendor now will save practitioners from having to switch vendors and learn a new system once the crisis is over. (See Comparing the latest telehealth solutions for vendor reviews.)
- The HHS Office of Civil Rights does not have authority to waive any similar requirements in state law.
Remember that the notice doesn’t suspend enforcement regarding your overall practice and HIPAA compliance. Also, psychologists should not count on nonenforcement of any HIPAA requirement not directly related to providing telehealth. For FAQs about this notice see the FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency (PDF, 94KB) webpage.
As always, before you decide to provide telepsychology, you should carefully weigh the potential benefits/risks for each patient based on the circumstances of each patient and psychologist.