Telehealth BAA Compliance After National Public Health Emergency Ends

Telehealth BAA Compliance After National Public Health Emergency Ends

By Carlyn M. Doyle, MSHI, RHIA, CHPS, HCISPP, CDPE, and DeAnn Tucker MHA, RHIA, CHPS, CCS

On March 30, the US Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, which stated that the department would “not impose penalties for noncompliance …in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

Once the public emergency ends, however, covered entities should revisit any new technology implemented for telehealth services to address revised compliance issues—particularly regulations pertaining to privacy and security.

The first assessment covered entities should perform post-pandemic is an inventory of all active telehealth platforms.

Survey providers to find out which telehealth applications and tools they are using, how they are using them, and why they choose a given application. It is also a good idea to include questions on how they made the determination to use that application.

Conducting an inventory is the starting point for assessing the impact and implications of choosing non-compliant platforms to accommodate patient demand during the pandemic. If an organization implemented a means of communication that HHS expressly prohibited—such as Facebook Live or Twitch—the organization should assume that breach has occurred and conduct a breach risk assessment. HHS banned these platforms because they are public-facing and should not be used in the provision of telehealth by covered healthcare providers.

Next, the organization should review and evaluate any end user license agreements, subscription agreements, or contracts for any teleconferencing platforms used in order to determine the terms of such agreements. Some subscription agreements may contain business associate language, which the user may not know about when they click the “accept” button when downloading an app.

Under the notice by HHS, “OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other non-compliance with the HIPAA Rules that relate to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.” This provision did not clarify expectations after the pandemic, and therefore organizations should obtain documentation of any unsuccessful attempts at obtaining a BAA even if the organization chooses to discontinue services with the vendor.

Many terms in a BAA can be negotiated and it is important to fully understand what is negotiable and what is not. So, what happens when the vendor refuses to sign a business associate agreement (BAA)? Identify how to terminate any signed agreements, negotiate return or destruction of any ePHI, and communicate decisions to providers. It’s also important to determine how terminating agreements might impact patient care. When the public health emergency is over, providers need to acquire a BAA or discontinue use of teleconference platforms that will not enter a BAA.

Additionally, consider the following:

  • Providers may have used personal or corporate accounts with the vendors. If personal accounts were used, additional steps for risk and impact should be implemented. For example, determining if these accounts are transferable to corporate accounts.
  • Was a security assessment conducted for the application? If not a security assessment of the product should be conducted and include the application’s encryption standards, collection, retention, storage, destruction processes, and other security requirements.

After creating a list and researching each application being used, it is a good idea to determine an organization’s use cases for the product and consider which applications the organization will:

  • Continue to use
  • Consolidate
  • Terminate and discontinue a particular product

Any decisions for a specific product should continue to be evaluated for security rule compliance and provider/patient satisfaction.

Other things to consider:

  1. Notice of Privacy Practices (NPP). Covered entities may need to revise their Notice of Privacy Practices (NPP) as a result of the pandemic and the implementation of telehealth services. Covered entities should also ensure that the processes and workflows for distribution of the notice of privacy practices (NPP) were followed and that acknowledgement was obtained by the patient. It is a good idea to implement processes to audit the collection of NPP acknowledgements.
  2. Informed consent. It will be very important for covered entities to ensure that the patient consented to the telehealth service and that consent is documented within the patient’s electronic health record (EHR). Also, covered entities will need to take into consideration state laws that vary regarding the requirements for telehealth-specific informed consent. Some states have requirements in place that require providers to inform the patient about the potential risks of telehealth. State requirements vary around what information must be provided to the patient and the type the consent obtained.
  3. Review all policies. Covered entities and business associates should review and update their policies to ensure that they align to the tele-health practices that were implemented and will continue to be effective as a result of the pandemic. For example designated record (DRS) set policies may need to be reviewed for ensuring that visit documentation from the telehealth platform is incorporated into the EHR. Other considerations include updating standards, policies, and training programs for bring your own device (BYOD) policies; work from home policies; making amendments/corrections to medical records; privacy policies; and information security policies.
  4. Record retention. Covered entities and business associates will need to consider retention and storage controls for telehealth applications that have functions for video/audio recordings and dictated notes that have been collected during the virtual visits. These also will need to be captured within the EHR and may need to be accessible to those that are involved in the treatment, payment, or operations for that visit. It is also a good idea to update release of information (ROI) processes to include permissible disclosures of any video/ audio, and dictation notes that are part of the DRS or legal health record (LHR) captured in the record. Organizations should consult with their organizations legal counsel about record retention, discoverability, record (audio, video, dictated notes) releases, uses, and disclosure ability.
  5. HIPAA Security Risk Analysis (SRA). It will be necessary for covered entities and business associates to re-evaluate their security risk assessment/analysis for any telehealth applications, systems, or processes for vulnerabilities and weaknesses that were implemented that may impact the organization’s security controls and security posture.

American Health Information Management Association. “Guidelines for a Compliant Business Associate Agreement (2016).”

Lewis, Sharon and Kelly McLendon. “Ensuring Your Business Associates Provide ‘Satisfactory Assurances’.” Journal of AHIMA 86, no.10 (October 2015): 48-51.

Health Resources & Services Administration. Policy changes during the COVID-19 Public Health Emergency.

Agency for Healthcare Research and Quality. Informed Consent Resources for Telehealth.

Centers for Medicare and Medicaid Services. Medicare Telemedicine Health Care Provider Fact Sheet. March 17, 2020.

US Department of Health and Human Services. “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency.”


Carlyn M. Doyle ( is the compliance engineer at WebMD. DeAnn Tucker ( is senior manager of the Coker Group.