Post-PHE Telehealth becoming HIPAA-Compliant by August 9

Last Updated: Jun 7, 2023

The public health emergency expired on May 11^th, 2023, at 11:59 pm. We have entered the post-PHE world for the time being. Telehealth will have similarities to how it was during the PHE but with some changes from a regulatory standpoint. We will be covering those regulatory changes to help ensure that your practice is complying with the Department of Health and Human Services Office of Civil Rights.

During the Public Health Emergency, the requirement for Business Associate Agreements was waived. A HIPAA business associate agreement was to be required in order to comply with HIPAA regulations once the PHE ended. The reason behind the business associate agreements was to create a binding contract that would make the vendor liable for any HIPAA breach if it were to occur. During the PHE, the Department of HHS provided a list of vendors who advertised that they were HIPAA compliant and would enter into a Business Associate Agreement.¹ The following vendors listed were:

• Skype for Business / Microsoft Teams²
• Updox³
• VSee⁴
• Zoom for Healthcare⁵
• Doxy.me⁶
• Google Workspace⁷
• Cisco Webex Meetings / Webex Teams⁸
• Amazon Chime⁹
• GoToMeeting¹⁰
• Spruce Health Care Messenger¹¹

The Department of HHS did imply that the Office of Civil Rights has not reviewed the BAAs offered by these vendors and that there may be others that offer HIPAA Compliant technology and are willing to enter a BAA. To ensure that a vendor’s BAA meets HHS requirements, it would be recommended to review their definition and sample BAA provided on their site which can be found here.¹²

Prior to the expiration of the PHE, the Office of Civil Rights provided a 90-day transition for healthcare organizations to become HIPAA-compliant when performing Telehealth. The transition period will expire at 11:59 pm on August 9^th. The press release of this transition period can be found here.¹³

For guidance from HHS regarding HIPAA compliance and telehealth, here¹⁴ is a guide to compliance from the National Consortium of Telehealth Resource Centers shared by HHS. For additional information and guidance, the Department of HHS also shared a document regarding Telehealth and the HIPAA rules¹⁵.

References

1. (OCR), O. for C. R. (2021, June 28). Notification of enforcement discretion for telehealth. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
2. Virtual health with a HIPAA BAA in place automatically. TECHCOMMUNITY.MICROSOFT.COM. (2021, August 9). https://techcommunity.microsoft.com/t5/healthcare-and-life-sciences/virtual-health-with-a-hipaa-baa-in-place-automatically/ba-p/2621101
3. Telehealth. Updox. (2022, August 12). https://www.updox.com/solutions/telehealth/
4. Most trusted HIPAA compliant telemedicine solution. VSee. (n.d.). https://vsee.com/
5. Comprehensive telehealth platform for Providers. Zoom. (2023, April 26). https://explore.zoom.us/en/industry/healthcare/
6. The easiest telemedicine solution. Doxy.me. (n.d.). https://doxy.me/en/providers/
7. Google. (n.d.). HIPAA compliance with Google Workspace and Cloud Identity. Google Workspace Admin Help. https://support.google.com/a/answer/3407054
8. Webex. (2023, February 8). Exceptional telehealth experiences: Webex for Healthcare. Webex. https://www.webex.com/industries/healthcare.html
9. Aggleton, P. (2015). Health. Amazon. https://aws.amazon.com/health/solutions/telehealth/
10. Unified Communications for Healthcare: HIPAA Compliant Video Conferencing: Goto. Healthcare | GoTo Suite. (n.d.). https://www.goto.com/healthcare
11. Spruce Health. (n.d.). Spruce: Medical Communication. Spruce Health. https://www.sprucehealth.com/
12. (OCR), O. for C. R. (2023, January 17). Business associate contracts. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
13. (OCR), O. for C. R. (2023b, April 25). HHS Office for Civil Rights announces the expiration of COVID-19 public health emergency HIPAA notifications of enforcement discretion. HHS.gov. https://www.hhs.gov/about/news/2023/04/11/hhs-office-for-civil-rights-announces-expiration-covid-19-public-health-emergency-hipaa-notifications-enforcement-discretion.html
14. TRC National Consortium of Telehealth Resource Centers. (2017, February 6). HIPAA & Telehealth: A stepwise guide to compliance. https://southwesttrc.org/sites/default/files/resources/factsheets/HIPAA-Final.pdf
15. (OCR), O. for C. R. (2022, June 10). Guidance: How the HIPAA rules permit covered health care providers and health plans to use remote communication technologies for audio-only telehealth. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html