Telehealth, HIPAA and COVID-19

March 26, 2020

By: Eric N. Fischer, Willard L. Boyd III, Jason L. Giles

The Federal and State governments have taken steps to increase flexibility for health care providers during the COVID-19 crisis. On March 20, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued guidance in the form of FAQs in follow up to its Notification of Enforcement Discretion for good faith provision of telehealth during the COVID-19 nationwide public health emergency.


Under, the Health Insurance Portability and Accountability Act (HIPAA), a “health care provider” is a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.


Health care providers include, physicians, nurses, clinics, hospitals, home health aides, therapists, other mental health professionals, dentists, pharmacists, laboratories, and any other person or entity that provides health care. Providers should review the FAQs and other guidance or seek guidance from an attorney, especially as they work to implement new telehealth solutions during the COVID-19 pandemic.


A few key takeaways from the OCR guidance include:


  1. No penalties for HIPAA violations from good-faith telehealth services. Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

  2. All patients are eligible for telehealth. This guidance applies to all HIPAA-covered health care providers, with no limitation on the patients they serve through telehealth services.

  3. All services appropriate for telehealth are eligible. All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency are covered by this guidance. This includes diagnosis or treatment of COVID-19 related conditions, such as taking a patient’s temperature or other vitals remotely, and diagnosis or treatment of non-COVID-19 related conditions, such as review of physical therapy practices, mental health counseling, or adjustment of prescriptions, among many others.

  4. “Bad Faith.” OCR will consider all facts and circumstances in determining whether the provider’s use of telehealth services is provided in good faith and therefore covered by the Notice. Bad faith includes, but is not limited to:

Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.

Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth.

  1. Provision of Telehealth Services to Patients. OCR expects that healthcare providers will ordinarily conduct telehealth in private settings, such as an office or clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent consent or exigent circumstances. If telehealth services cannot be provided in a private setting, health care providers should implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information, including, lowered voices, not using speakerphone, or recommending that the patient move a reasonable distance from others.

  2. Acceptable Platforms Used to Provide Telehealth Services. OCR has indicated that health care providers should provide telehealth services via “non-public facing remote communication products”. Non-public facing remote communication products includes, without limitation: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, or Skype. It also includes commonly used text messaging applications like Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp or iMessage. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.


On March 17, 2020, Iowa Governor Kim Reynolds issued a Public Health Proclamation. In the Proclamation Governor Reynolds temporarily suspended the regulatory provisions of Iowa Code Section 147.137 and Iowa Administrative Code rule 653-13.11, rule 641-155.2 and other rules establishing preconditions, limitations or restrictions on the provision of telehealth and telemedicine services. The Proclamation also temporarily suspended Iowa Code and Iowa Administrative Code provisions requiring face to face interactions with health care providers and imposing requirements for residential and outpatient substance abuse disorder treatment and for face to face visitations.


The Federal and State Action did not change the services that can be billed to as a telehealth service. These changes provide Iowa health care providers additional flexibility in treating patients with telehealth services. If you have any questions or need assistance in determining how these or other guidance applies to you please contact us.