Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Free Newsletter Sign Up

Pandemic Expands Telehealth Despite Privacy Law: HIPAA Explained

May 8, 2020, 9:33 AM

Telehealth doctor appointments have become a new feature of the pandemic as the administration eased health privacy enforcement to expand the practice to protect providers and patients from Covid-19.

Virtual visits can keep patients from showing up to hospitals unannounced and potentially exposing themselves and others to the coronavirus. They can also ensure ongoing care for people with chronic conditions that may make them vulnerable to the virus.

To facilitate the expansion the government temporarily waived parts of the 1996 Health Insurance Portability and Accountability Act (HIPAA). The law was enacted before electronic health records were regularly in use, and its strict interpretation of who is covered and what those entities must do has effectively quashed broad telehealth use.

Telehealth has expanded during the pandemic, but relaxed enforcement of video conferencing apps for health care is only temporary. Post-pandemic, regulators will need to update the rules to make it clear that companies like Google Inc., Apple Inc., and Skype Communications must meet strict security requirements.

1. What Is HIPAA?

The law’s original purpose—ensuring that people could maintain health insurance coverage when moving between jobs—meant they couldn’t be turned down by an insurer if they showed they had continuous coverage for the previous 18 months. Congress added the first privacy protections, giving patients rights to their own data, in 2003.

Its current form contains two main regulations for data protection. The privacy rule requires three covered entities—health providers, insurers, and the health “clearinghouses” that standardize or convert patient data—to protect health information like names, treatments, and diagnoses.

The separate security rule requires covered entities to ensure that a patient’s electronic health data is secure when transmitted via email and network platforms.

Neither piece specifically mentions communications apps or the companies that make them.

Penalties for a single HIPAA violation—e.g., an impermissible disclosure of protected patient information—can total as much as $59,522, and fines have an annual cap of $1,785,651, according to the Department of Health and Human Services’ Office for Civil Rights.

2. How Did HIPAA Suppress Telehealth Use?

Lawmakers updated the law in 2013 such that Google, Apple, and Skype can be HIPAA compliant. Those companies can now be considered “business associates” of doctors or insurers, which means they’re required to store and share patient data in the same secure way.

The changes allow tech companies to be part of telehealth practices, but they have to go through several bureaucratic hoops. They or their subcontractors need to enter a “business associate agreement” with the specific doctor or practice. Those contracts need several elements to be compliant.

Until the pandemic, the government under Medicare wouldn’t pay doctors or hospitals for telehealth services except in limited circumstances, like appointments in specific rural areas or to treat specific conditions. That deterred widespread use of virtual office visits.

3. How Did the Waivers Facilitate Broader Telehealth?

In March, the HHS relaxed HIPAA rules, allowing doctors to use video apps such as Zoom, Apple FaceTime, Facebook Messenger, or Google Hangouts without a business associate agreement. The waiver helps health providers maintain patient care and protect populations with underlying or chronic conditions who might be at greater risk from Covid-19. It’s in effect until the pandemic ends.

Doctors and clinicians now have more options to communicate with low-income patients—i.e., through smartphones in the absence of home computers or powerful broadband. The administration further relaxed rules April 30 allowing some health services to be delivered by phone. It also expanded the types of practitioners who can deliver health care by phone or video chat.

Health providers and video-conferencing companies are still responsible for protecting patient data, like notes and lab reports, as they flow between doctors and patients across online platforms.

The pandemic also changed the circumstances under which the government pays providers. Doctors can now offer Medicare patients video conferencing or phone calls for a variety of services and be assured of government reimbursement.

4. What Comes After the Pandemic?

Health-care lawyers expect telehealth will continue to grow, but when the HHS waivers expire, health systems will have to enter into more business associate agreements if they want to continue treating patients remotely.

Government health officials also expect the practice to continue, but they’ll eventually need to write permanent rules that continue to allow more Medicare payment for telehealth and allow doctors to treat patients across state lines. The agency also needs to specify enforcement guidelines for video-conferencing apps.

HHS officials are considering what changes will become permanent when the pandemic ends.

To Learn More:

From Bloomberg Law—

Telehealth’s Virus Boom Has Doctors Looking Beyond the Pandemic

Doctors Using Zoom Face Security Scrutiny During Virus

Covid-19 Makes Virtual Doctor Visits Tempting but Hazards Linger (1)

INSIGHT: Key Medicare Telehealth, HIPAA Changes During Coronavirus Pandemic

Busy Privacy Agenda for 2020 Has Health Companies on Edge

State Privacy Laws Could Wreak Havoc on Medical Device Industry

To contact the reporter on this story: Ayanna Alexander in Washington at

To contact the editors responsible for this story: Fawn Johnson at; Cheryl Saenz at