Compliance Briefing — HHS OCR eases HIPAA enforcement for telehealth

Executive briefing: On 17 March 2020, OCR issued a Notification of Enforcement Discretion for telehealth. Providers could use consumer video tools such as FaceTime or Skype to deliver telehealth in good faith without facing HIPAA penalties during the COVID-19 emergency.

Why it matters

• Continuity of care: clinicians could rapidly expand virtual visits without waiting for business associate agreements on new platforms.
• Risk tolerance: OCR still expected providers to avoid public-facing apps and to enable encryption when available.
• Temporary scope: the discretion applied only during the declared public health emergency and did not waive HIPAA entirely.

Operator actions

1. Document platforms: Record which communication tools are used under the discretion and the safeguards enabled (encryption, access controls).
2. Patient notice: Inform patients about privacy risks when using consumer-grade video tools and obtain consent.
3. Limit sharing: Restrict disclosures to the minimum necessary and disable recording unless clinically required.
4. Transition plan: Prepare migration to HIPAA-aligned telehealth platforms once the emergency period ends.