top of page
  • Writer's pictureNMSG


Updated: Apr 4, 2020

The Health Resources and Services Administration (HRSA) as part of HHS' COVID-19 response gave the green light to medical providers to see patients remotely.

This directive served three main purposes:

  1. Provide medical providers greater flexibility on how they see and care for patients

  2. Maintain critical lines of communication between patient and provider

  3. Protect medical providers and other patients from inadvertent infection

Since then, other guidance has ensued, particularly around relaxing HIPAA's Security Rule which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of (ePHI) electronic protected health information.

So along that vein, here are a few things we think you need to know.


Telehealth, as defined by HRSA is “the use of electronic information and telecommunications technologies to support and promote":

  • long-distance clinical health care

  • patient and professional health-related education

  • public health and health administration

In today's environment, these necessarily will include videoconferencing via internet, image forwarding, streaming media, and other forms of wireless-related communications.


Below are HRSA’s main use cases in which you, the patient, participate in the telehealth process with your medical provider:

  • Live (synchronous) videoconferencing: a two-way audiovisual link between a patient and a care provider

  • Store-and-forward (asynchronous) videoconferencing: transmission of a recorded health history to a health practitioner, usually a specialist.

  • Remote patient monitoring (RPM): the use of connected electronic tools to record personal health and medical data in one location for review by a provider in another location, usually at a different time.

  • Mobile health (mHealth): health care and public health information provided through mobile devices. The information may include general educational information, targeted texts, and notifications about disease outbreaks.


During this nationwide public health emergency brought on by COVID-19, below is up-to-date guidance on how covered health care providers who normally are subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communication technology.

The OCR (Office of Civil Rights) has said that it will exercise “enforcement discretion” and not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules. Health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the "good faith" provision of telehealth during the COVID-19 nationwide public health emergency. The notification however does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.

Here is what that looks like

A covered health care provider according to HRSA may exercise “professional judgement” and examine a patient who:

  • Exhibits COVID-19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer.

  • Assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions --both patients and providers may use telehealth services.


Medical providers should notify their patients that these third-party applications may potentially introduce privacy risks, and that they (the patient) should enable all available encryption and privacy protections while using third-party applications.

The below list of applications usually employ end-to-end encryption, allows individual user accounts, logins, and pass-codes, limits access, and verifies participants. Additionally, participants (providers and patients) may assert some control over particular capabilities; i.e. opting to record or not record communication OR to mute, turn off the video or audio signal at any point in time.

Here is a HRSA approved short list of (non-public facing) platforms both patients and providers may use for telehealth services:

  • Apple - FaceTime

  • Facebook Messenger - video chat

  • Google Hangouts - video

  • WhatsApp - video chat

  • Skype

  • Zoom

Commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, WhatsApp, or iMessage are also acceptable.


These (public-facing) remote communication products should not be used.

  • TikTok

  • Facebook Live

  • Twitch

  • Slack

If you are a medical provider of any kind who would like more telehealth-related guidance, or who needs to have a vulnerability assessment done in order to be sure that you're capable of providing secure telehealth services, send us an email at for a free security consultation.

We're ALL in this together.


36 views0 comments

Recent Posts

See All
bottom of page