Telehealth and HIPAA Compliance During The COVID-19 Outbreak

Fri, May 01, 2020
By: Jim Beran
Telehealth and HIPAA Compliance During The COVID-19 Outbreak

One of the most challenging aspects of the COVID-19 pandemic and resulting changes to our working environments has been maintaining HIPAA compliance when treating patients remotely.

At Gilmore Services, we work with many healthcare providers, helping them to create HIPAA-compliant data storage and destruction. In recent days, there have been some modifications to HIPAA rules to assist healthcare providers and the companies that support them to quickly exchange health information when necessary. Here’s what you need to know.

Notification of Enforcement Discretion

The Department of Health and Human Services (HHS) has announced several areas where they have relaxed enforcement of HIPAA regulations in response to the pandemic. 

  1. The first change regards the establishment and operation of community testing sites. The announcement applies to all HIPAA-covered healthcare providers and their business associates who are involved in running community-based testing sites. Providers are expected to take reasonable precautions to protect patient’s health information and privacy, including setting up opaque barriers and releasing Protected Health Information on an as-needed basis.
  2. The second change applies to all HIPAA-covered healthcare providers and their business associates who are treating patients with COVID-19. It works in the same way as the first rule, allowing first responders and providers to make in-the-moment decisions and share PHI as needed when it is necessary to treat a patient or prevent the spread of COVID-19.

Our interpretation of both rules is that they do not and should not permit for a wholesale disregard of HIPAA regulations about collecting and sharing a patient’s PHI. However, there may sometimes be a need to talk about a patient’s diagnosis of COVID-19 in a setting that might not be fully HIPAA-compliant, and HHS has announced that it will take the circumstances into consideration when enforcing HIPAA privacy rules.


HHS has also announced some leniency when it comes to treating patients remotely. The issue of telehealth is one that is looming large as most of us are complying with stay-at-home orders. It is possible for many patients to be diagnosed and examined remotely.

The Office for Civil Rights (OCR) has issued a statement regarding telehealth and its expected discretion regarding the use of electronic equipment to treat patients remotely. It has also released a list of Frequently Asked Questions to help providers. Here are some of the highlights:


  • The relaxed rules apply to all HIPAA-covered healthcare providers. It does not apply to insurance companies who pay healthcare providers.
  • The Notification of Enforcement Discretion applies to all patients treated via telehealth, not just those diagnosed with COVID-19. 
  • Covered providers will not be penalized for violations of HIPAA’s Privacy, Security and Breach Notification rules if they act in good faith using telehealth to treat their patients.
  • The new rules on telehealth do not apply to the release of information related to substance abuse.
  • Some things are still considered violations, such as using a public Wi-Fi network to provide telehealth or the use of public-facing communication products, including Facebook Messenger or TikTok.

The key takeaway here is that you must always act in good faith  when providing telehealth to your patients, but you will not be penalized for relaxing your compliance with HIPAA regulations when it is necessary.

Protecting Patient Information at Home

As of this writing, HHS has not notified the public of any changes to the way healthcare providers handle written information about patients. However, it’s safe to assume that the blanket term “communication” covers a patient’s physical records as well as electronic ones.

Our recommendation is that you adhere as closely to possible to HIPAA regulations. If you have not already done so, now would be a good time to partner with an experienced, HIPAA-compliant document storage and destruction company like Gilmore Services.


The COVID-19 pandemic requires all of us to be flexible and think on our feet. The HHS notifications about enforcement of regulations should help providers to care for patients effectively. However, we still recommend meeting your requirements under HIPAA as much as possible.

Do you need an experienced HIPAA-compliant document storage and destruction company to assist you with patient privacy? Click here to learn how Gilmore Services can help.