OCR Takes Center Stage in October: New Guidance for Secure Telehealth and Cybersecurity Sanctions under HIPAA

In October, the Office for Civil Rights (OCR) intensified its efforts to enforce regulations under the Health Insurance Portability and Accountability Act (HIPAA), according to an article by Baker Hostetler. Two guidance documents and a quarterly cybersecurity newsletter were released to address privacy and security concerns in telehealth and optimize workforce-sanction policies for HIPAA compliance.

The OCR’s guidance on telehealth, published on October 17, aims to educate healthcare providers and patients on the risks associated with using telehealth services. The Provider Guidance encourages providers to inform patients about telehealth, available options, and potential risks to protected health information (PHI).

Recommendations include explaining the telehealth session process, providing contact information to verify communications, and disclosing telehealth vendors’ privacy and security practices. Patients are advised to participate in telehealth appointments in private locations, use secure devices, update software, employ strong passwords, and utilize encryption tools.

While not mandatory, the guidance sets a standard for telehealth practices, prompting healthcare providers to update consent forms and educational materials to inform patients about privacy and security risks.

In the realm of cybersecurity, the OCR’s October newsletter emphasizes the importance of sanctions in supporting HIPAA compliance. Regulated entities are urged to implement formal processes, document sanction procedures, require workforce acknowledgment of policy violations, and tailor sanctions based on violation severity.

The OCR stresses the need for consistency in sanction implementation and alignment with broader disciplinary policies. Though HIPAA doesn’t prescribe specific penalties, it mandates adherence to established policies, and the OCR has previously taken enforcement action against entities failing to sanction workforce members.

The OCR’s guidance reflects its commitment to flexibility in achieving compliance while underscoring the necessity of maintaining consistency and documentation. Healthcare providers are advised to assess and potentially revise their sanction policies to align with HIPAA requirements and broader organizational disciplinary principles.