Skip to content

Ensure HIPAA Compliance During COVID-19 HIPAA Waiver

Want to implement telehealth in your practice during COVID-19? Careful, the HIPAA waiver does not entirely lift HIPAA compliance.

Download attorney Dooley’s slides from our recent telemedicine webinar

By Anjali B. Dooley, JD, MBA, healthcare attorney
April 5, 2020

During the coronavirus emergency, the United States Department of Health and Human Services (HHS) has loosened HIPAA compliance rules for telehealth, including provider licensing, reimbursement and pharmacy. However, that does not mean you should implement telemedicine in your practice without thinking it through.

HHS, the American Medical Association (AMA) and the Congressional Research Service are doing their best to issue telehealth guidelines during this temporary relaxation of HIPAA compliance rules. As a telemedicine healthcare attorney, I want to offer my thoughts about how to go about HIPAA compliance and telemedicine implementation and use.

Telemedicine apps that do and don’t meet HIPAA compliance

The HHS Office of Civil Rights has issued a statement in light of the national emergency saying, “a covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.”

That means providers can use any kind of chat or video tool to communicate with and consult patients right now, from phone calls and text messaging to popular video apps – few of which meet HIPAA compliance standards.

The temporary rule change enables applications such as Microsoft Skype, Apple FaceTime, What’s App, Facebook Messenger, Zoom for Healthcare and others, which are not typically HIPAA compliant, to be covered entities for telehealth.

Hitting the record button could be a goldmine for personal injury attorneys to discover, should there be any malpractice ramifications post pandemic.

These popular, pervasive tools make telehealth extremely safe for social distancing, convenient, and often free for patients and doctors alike.

Public-facing or broadcast-oriented apps, such as TikTok, Snapchat, Twitch, regular Facebook posts, and Facebook Live are not covered entities and are not secure.

What makes an app HIPAA compliant?

When considering the best app to use for telemedicine, it is my recommendation that if you can implement one that already meets HIPAA compliance standards, you should do so.

To be HIPAA compliant, the app vendor will offer a Business Associate Agreement (BAA). In simple terms, a BAA is a signed agreement between a covered entity (the provider) and the vendor that ensures the safeguarding of protected health information (PHI). Examples of apps that meet HIPAA compliance include Microsoft Skype, Google G-Suite Hangouts, Vsee,, Updox, among others.

Takeaway: A BAA will not only allow you to continue to use the telehealth platform after the pandemic emergency, but it offers documentation that you are being reasonable and trying to do the right thing.

Document, document, document

One of the most important points I can emphasize is that telehealth visits are to be treated just like in-office visits. That means you must take notes, document the visit, code it properly and enter the information into the patient’s record. There is a lot of coding guidance and risk management that a legal compliance professional can offer.

One thing that is different from a telemedicine visit is that you must obtain consent from the patient to be treated virtually. Whether it’s telephonic, text message or video, a provider must document that the patient has given consent to be seen via a telehealth channel and that he or she authorizes the provider to give advice over that medium. When the pandemic is over, you will probably need written documentation from the patient; currently, verbal consent is acceptable.

I recommend contacting your EHR provider, too, because the system may have a feature that downloads and inputs text messages. In addition, some EHR systems offer telehealth platforms and may have a vendor or tool already in place that will automatically upload the record and notes for documentation purposes. Be sure to ask about remote options available.

There is one caveat to documentation that I highly recommend: do not record video consults. I realize this could be a convenient solution to note taking, but it would be better to take hand-written notes or have a scribe participate in the consult (with the patient’s permission). If you hit the record button, the visit can be discoverable for personal injury attorneys and risk liability.

Takeaway: Just as if the visit were in person, documentation will not only help cover you against any claims, but it allows you to get reimbursed.

HIPAA waiver does not negate standard of care for HIPAA compliance

I can’t emphasize enough that when implementing telemedicine, the standard of care does not change.

Standard of care is defined as what a thoughtful, reasonable, prudent provider (physician, nurse, physician assistant, nurse practitioner) would provide in a similar circumstance. This rule has not changed, so be aware that it remains the same for a telemedicine visit as it would be for an in-person visit.

Standard of care is often specialty driven and locality based. Be sure to contact your malpractice insurance carrier to make sure you or your practice’s providers are allowed to conduct telemedicine visits, and get written authorization.

Also, while some licensing restrictions have been eased, if you plan to consult a patient in another state, remember it is that state’s laws that will govern your malpractice claims.

Takeaway: confirm whether you can conduct telehealth visits, define what kind of patients you want to see using this mode of communication, and have the CPT codes ready.

Your scope of practice must also meet HIPAA compliance

Scope of practice is defined as what kind of care a provider can deliver based on education, training and experience. For example, an orthopedic surgeon shouldn’t be giving advice about urological issues.

Also, most states still require collaboration or supervision agreements with physician assistants and nurse practitioners. However, that collaboration and supervision can be conducted via telehealth, as long as the agreements are in place. Again some of these restrictions are being lifted temporarily, but it is best to consult with a compliance legal professional.

Takeaway: try not to practice outside of your scope and confirm that you have agreements in place with complementary providers.

Download my slides

HIPAA COVID-19 Telemedicine Slides
Anjali Dooley is the managing partner at the Law Office of Anjali B. Dooley, LLC. She has extensive experience in telemedicine, emerging healthcare technologies, rural healthcare and business law. She can be reached at [email protected] or 833.ANJALI.5.