Telehealth Availability and Access to Health Records Increase in Light of the COVID-19 Emergency

By Robert Shaw, Shawn Parker and Jackson Moore

Expansion of Telehealth Options

As part of the federal government’s response to the coronavirus (COVID-19) pandemic, agencies have rushed to relax restrictions on the provision of telehealth in order to facilitate the provision of medical services remotely. In this flurry of regulatory activity, many health care providers are left wondering what they can or cannot do. Below is a summary of what rules have been relaxed and how federal and state law interacts in this area.

The U.S. Department of Health and Human Services (“U.S. DHHS”), using its authority under the Public Health Service Act[1], declared a public health emergency on January 31, 2020, in light of the spread of COVID-19[2].  In the wake of this overarching declaration, several departments have issued guidelines and discretionary enforcement proclamations to facilitate the provision of telehealth services.

An important restriction on the provision of telehealth services is HIPAA’s Security Rule. The Security Rule imposes certain requirements to protect the security and integrity of data transfers. During the nationwide COVID-19 public health emergency, the U.S. DHHS Office of Civil Rights (“OCR”) will waive penalties for HIPAA violations of the Security Rule against health care providers who serve patients in good faith using every day, private-facing communication technologies, such as FaceTime, Facebook Messenger, Google Hangouts, or Skype[3].  OCR will not pursue penalties for breaches of the HIPAA Security Rule if electronic protected health information is intercepted during a good faith telehealth transmission.

“This exercise of discretion applies to telehealth provided for any reason,” regardless of whether the patient encounter relates to COVID-19. OCR’s notification applies to all HIPAA-covered health care providers, with no limitation on the category of patients served. OCR states that public facing video communication applications, such as Facebook Live, Twitch, Discord and TikTok should not be used, nor should chat rooms such as Slack[4]

HHS has defined telehealth to include the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications. OCR’s notification of enforcement discretion does not have an expiration date, but OCR will issue a notice to the public when it is no longer exercising its enforcement discretion.

Also, the Drug Enforcement Agency has suspended the requirement that a doctor conduct an initial, in-person examination of a patient before electronically prescribing a controlled substance. This suspended requirement, which is part of the Ryan Haight Online Pharmacy Consumer Protection Act of 2008[5], was waived for all schedule II-V controlled substances, so long as the prescription is issued for a legitimate medical purpose; the telemedicine communication is conducted using an audio-visual, real-time, two-way interactive communication system; and the practitioner is acting in accordance with applicable State and Federal laws[6].

For Medicare patients, the Centers for Medicare & Medicaid Services (“CMS”) has broadened access to telehealth services for Medicare enrollees. Geographic and originating site Medicare telehealth reimbursement restrictions have been waived after the March 6, 2020 passage of the Coronavirus Preparedness and Response Supplemental Appropriations Act and related CMS guidance issued on March 17, 2020[7]

Under the new CMS guidance, patients can be seen via live videoconference in their homes without traveling to a qualifying originating site for Medicare telehealth encounters. Covered telemedicine for purposes of Medicare reimbursement does not include a telephone-only encounter, but must combine live video and audio. Providers should remember that it is generally a better practice to have Business Associate Agreements executed with software companies participating in telehealth. 

State licensing laws should also be consulted because the special provisions above from OCR, CMS, and DEA do not override state laws governing telehealth. In general, physicians who wish to provide telemedicine services must be licensed in the state where the patient is located at the time the physician provides medical services.  Many states have made exceptions to in-state licensure requirements and have modified their telemedicine policies in light of the COVID-19 emergency. The Federation of State Medical Boards maintains a list summarizing these changes, organized by state. Additionally in a  March 24, 2020 letter sent to all 50 governors, the Secretary for the U.S. DHHS urged states to take immediate action under applicable state laws “to waive restrictions on licensure, scope of practice, certification, and recertification/relicensure” consistent with changes announced for federal programs.

Guidance on Information Sharing for First Responders

On March 24, 2020, OCR issued guidance advising when health care providers can share coronavirus patient information with law enforcement, paramedics, first responders and public health authorities in compliance with HIPAA’s Privacy Rule and without an individual’s authorization. OCR advised that HIPAA permits disclosure of the name or other identifying information of a patient who has been infected with or exposed to COVID-19 when the information is necessary to “prevent or lessen a serious or imminent threat to the health and safety of a person or the public,” or when first responders may be at risk of infection, or to “notify a public health authority in order to prevent or control spread of disease.” OCR cautioned that other applicable laws may place additional restrictions on disclosures and that a covered entity must make reasonable efforts to limit the information used or disclosed to that which is the minimum necessary to accomplish the purpose of the disclosure. OCR offers the example of a hospital providing a list of names and addresses of all individuals known to have tested positive for or received treatment for COVID-19 to EMS dispatch for use on a per-call basis. Sharing the list broadly with EMS personnel or disclosing the contents publicly would not be permitted[8].

If you have any questions related to this alert, please do not hesitate to contact your regular Smith Anderson lawyer or any other member of our firm. Additionally, please visit and bookmark our firm’s Coronavirus (COVID-19) Business Resource Center which is continuously updated with useful materials and resources related to COVID-19. This tool has been made available to ensure that our clients and the broader business community stay informed on key issues that may impact their operations and to navigate the related business and legal issues during these challenging times.

[1] 21 U.S.C. 802(54)(D)










Jump to Page

This website uses cookies to enhance your browsing experience and improve functionality. To learn more, you may view our Privacy Policy. By continuing to browse Smith Anderson's website, you are accepting our use of cookies in accordance with our privacy policy.