Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Ask The Experts

05:20 PM
Edge Editors
Edge Editors
Edge Ask The Experts

Will Gentler HIPAA Rules on Telehealth Now Protect Us From Breach Litigation Later?

To enable medical care while encouraging social distancing during the COVID-19 pandemic, the Department of Health and Human Services temporarily loosened up on some of its HIPAA noncompliance enforcement on telehealth. But what happens if there's a PHI slip-up?

Question: Should I worry that looser telehealth regulations now might cause me security and legal problems later?

Patricia Calhoun and Patricia Carreiro, attorneys at Carlton Fields: The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) — the government office responsible for enforcing the Health Insurance Portability and Accountability Act (HIPAA) — has exercised its enforcement discretion to not impose penalties for noncompliance with certain HIPAA rules during the COVID-19 emergency. However, this may not deter state regulators and/or private plaintiffs (i.e., patients) from suing telehealth providers if personal health information (PHI) is breached.

While HIPAA does not provide a private right of action to patients, patients can still allege (among other things) that providers' use of unsecure technology is negligent, a breach of the provider–patient contract, and/or an unfair trade practice. Depending on the provider's representations, patients could even allege fraud. While some claims can be dealt with using an early motion to dismiss, others almost always survive, typically resulting in a not insignificant settlement.  

There are, however, steps providers can take to reduce their litigation exposure, including notifying patients of technology risks posed by their methods of communication, enabling all available privacy protections, only contracting with HIPAA-compliant telehealth service providers that are willing to enter into a business associate agreement, and only using approved technologies to provide their services.

And remember, even during the COVID-19 pandemic, providers are still responsible for complying with HIPAA's administrative, technical, physical, and organizational requirements.

Patricia Calhoun and Patricia Carreiro are attorneys at Carlton Fields. Ms. Calhoun is a healthcare attorney with an interest in privacy issues and Ms. Carreiro is a data privacy and cybersecurity litigation attorney.

Related Content:


A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building Cybersecurity Strategies in Sub-Saharan Africa

Filmed for Dark Reading News Desk at Black Hat Virtual.

LAURA TICH: We have that imbalance, where the big organizations are more protected, where the smaller ones -- which are the most common businesses in the region -- they are least protected... Sometimes they do get the tools, they do get the funding to buy some critical tools, but there's a lack of skills to handle or people who understand how to work those tools. So there are a lot of factors that contribute to our growth -- or lack thereof -- in the cybersecurity industry.


Name That Toon: Tough Times, Tough Measures
Latest Comment: Wear a mask, please!
Flash Poll