HIPAA Telehealth Flexibilities




On March 17, 2020, the Office of Civil Rights (the enforcement arm of HIPAA for the federal government) announced that it would not take enforcement action against HIPAA covered entities who provided care via telehealth under certain conditions. If the covered entity was, in good faith, providing telehealth services via a non-public facing mechanism, it could avoid an enforcement action even if it did not have a business associate agreement with that third-party platform. In essence, so long as the provider was not streaming a session over Facebook Live or some similar public platform, the provider would not face fines from the federal government.

The public health emergency ends on May 11, 2023, at which time there will be a 90-day transition period, which ends on August 10, 2023.  The enforcement discretion over the use of non-HIPAA compliant telehealth platforms will continue throughout the duration of the transition period. At the end of the transition period on August 10, 2023, HIPAA covered entities must resume providing telehealth services using HIPAA-compliant platforms. To be in compliance, covered providers must provide telehealth services via a platform with which they have a business associate agreement.

A business associate agreement is required anytime a third-party will have access to protected health information on behalf of a covered entity – whether a third-party biller, your attorney, or videoconferencing platform. Covered providers using telecommunications platforms such as Apple’s FaceTime or regular Zoom without a business associate agreement should take this time to prepare to switch to a HIPAA-compliant platform. Check out CAMFT’s Telehealth Corner.


Return to Newsletter