← Back to all briefings
Compliance 6 min read Published Updated Credibility 73/100

HHS OCR eases HIPAA enforcement for telehealth

OCR announced it will not penalize healthcare providers for using non-HIPAA-compliant telehealth platforms during COVID-19. This is a temporary enforcement discretion, not a rule change—but it is letting doctors use Zoom and FaceTime.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Compliance pillar illustration for Zeph Tech briefings
Compliance controls, audit, and evidence briefings

On , OCR issued a Notification of Enforcement Discretion for telehealth. Providers could use consumer video tools such as FaceTime or Skype to deliver telehealth in good faith without facing HIPAA penalties during the COVID-19 emergency.

Enforcement Discretion Scope and Limitations

The enforcement discretion applies specifically to telehealth services provided in good faith during the COVID-19 public health emergency. OCR stated it would not impose penalties for HIPAA Privacy, Security, or Breach Notification Rule violations arising from good faith telehealth provision using non-public-facing communication products. This discretion enabled rapid telehealth expansion without traditional compliance barriers.

Non-public-facing communication products receive enforcement discretion while public-facing platforms remain excluded. Acceptable platforms include video chat applications like FaceTime, Google Hangouts, Zoom, and Skype. Public-facing platforms such as TikTok, Facebook Live, and Twitch remain inappropriate for telehealth regardless of enforcement discretion.

Good faith requirements condition enforcement discretion on reasonable efforts to protect patient privacy. Providers should enable encryption where available, limit data sharing, and avoid recording sessions unless clinically necessary. Bad faith use of consumer platforms or intentional disregard for privacy protections falls outside enforcement discretion protection.

HIPAA Requirements Preserved

Enforcement discretion does not waive HIPAA requirements; it only defers penalties during the emergency. Covered entities remain subject to HIPAA Rules and should continue compliance efforts where feasible. The Privacy Rule minimum necessary standard, Notice of Privacy Practices requirements, and patient rights provisions continue to apply.

Business associate agreement requirements technically remain in effect though OCR will not enforce them for telehealth platform vendors during the emergency. If you are affected, document vendor relationships and plan business associate agreements for post-emergency continued use of telehealth platforms.

Security Rule administrative, physical, and technical safeguards continue to apply to electronic protected health information. If you are affected, implement available safeguards on consumer platforms including access controls, encryption where supported, and secure device configurations. Documentation of safeguard setup supports good faith demonstrations.

Providers must inform patients about privacy risks associated with consumer telehealth platforms. Patients should understand that platforms may not meet HIPAA standards and that privacy protections may be limited compared to in-person visits. This transparency supports informed consent and shows good faith.

Consent documentation should record patient acknowledgment of telehealth privacy limitations. Written or verbal consent with documentation in medical records provides evidence of patient notification. Consent processes can be simplified for emergency circumstances while maintaining essential disclosures.

Patient choice considerations may arise when HIPAA-compliant alternatives exist. Providers offering both compliant and non-compliant telehealth options should inform patients of differences and document patient preferences. Emergency circumstances may justify consumer platform use even when alternatives exist.

Operational and Technical Considerations

Platform selection should focus on available security features. End-to-end encryption, password protection for sessions, and waiting room features reduce privacy risks on consumer platforms. If you are affected, document platform security features and configuration decisions.

Device security affects telehealth privacy regardless of platform selection. Providers should use devices with appropriate security controls including encryption, passcodes, and remote wipe capability. Personal device use for telehealth requires additional attention to separation of personal and professional data.

Recording and storage policies require careful consideration. Recording telehealth sessions creates additional PHI subject to retention and security requirements. If you are affected, establish clear policies on recording, inform patients before recording, and ensure secure storage for any recorded content.

Post-Emergency Transition Planning

Enforcement discretion applies only during the declared public health emergency. If you are affected, plan migration to HIPAA-compliant telehealth platforms before emergency termination. Continued use of consumer platforms after enforcement discretion ends creates compliance risk.

Vendor evaluation should assess HIPAA compliance readiness including business associate agreement availability, security certifications, and technical safeguards. Platform selection for long-term telehealth operations should focus on compliance over convenience.

Implementation Recommendations

  • Platform documentation: Record communication tools used under enforcement discretion and security safeguards enabled including encryption and access controls.
  • Patient notification: Inform patients about privacy risks when using consumer-grade video tools and document consent.
  • Data minimization: Restrict disclosures to minimum necessary and disable recording unless clinically required.
  • Transition planning: Prepare migration to HIPAA-aligned telehealth platforms for post-emergency operations.
  • Policy development: Establish telehealth policies addressing platform selection, patient consent, and security requirements.

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Third-Party Risk Oversight Playbook

    Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

  • Compliance Operations Control Room

    Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

  • ESG Assurance Operating Guide

    Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published
Coverage pillar
Compliance
Source credibility
73/100 — medium confidence
Topics
HIPAA · telehealth · COVID-19
Sources cited
3 sources (hhs.gov, phe.gov, iso.org)
Reading time
6 min

References

  1. Notification of Enforcement Discretion for Telehealth
  2. HHS Public Health Emergency Declarations — HHS
  3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization
  • HIPAA
  • telehealth
  • COVID-19
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.