On March 17, 2020, the federal government relaxed a number of telehealth-related regulatory requirements due to COVID-19. On April 3, 2020, California Governor Gavin Newsom issued Executive Order N-43-20 (the Order), which relaxes various telehealth reporting requirements, penalties, and enforcements otherwise imposed under state laws, including those associated with unauthorized access and disclosure of personal information through telehealth mediums.
As stated in the Order, which became effective immediately, telehealth services may help reduce the spread of COVID-19, and strict compliance with certain state telehealth requirements would otherwise “prevent, hinder, or delay appropriate actions to prevent and mitigate the effects of the COVID-19 pandemic.” The Order impacts certain health care facilities, health care providers, health care administrators, clinics, home health agencies, and hospice providers, generally in instances where non-compliance occurs during the “good faith provision of telehealth services.”
In addition to specifying that Health Insurance Portability and Accountability Act (HIPAA) covered health care providers should ensure that their delivery of telehealth services is consistent with the U.S. Department of Health and Human Services’ (HHS’s) March 17, 2020 Telehealth Notice of Enforcement Discretion, the Order relaxes a number of California regulatory requirements as they relate to the provision of telehealth services, particularly those governing the protection of medical or other confidential information. This relief will remain in effect through the duration of the “state of emergency” declared by the governor on March 4, 2020. The Order specifically suspends or otherwise relaxes the following California requirements and penalties in the context of telehealth services:
- Telehealth consent requirements suspended. The Order suspends the requirement for health care providers to obtain oral or written consent from a patient before using telehealth services under California Business and Profession Code section 2290.5(b).
- Liability suspended for unauthorized access or disclosures of health information under the CMIA. The Order suspends all penalties and any cause of action arising out of Civil Code section 56.35 of the Confidentiality of Medical Information Act (CMIA), as well as all administrative fines, civil penalties, private rights of action, and causes of action arising out of Civil Code section 56.36 of the CMIA, so long as the underlying violations result from the inadvertent, unauthorized access or disclosure of health information during the good faith provision of telehealth services.
- Criminal penalties suspended for unauthorized access or disclosures of medi-cal information. The Order suspends criminal penalties for health care providers, health care facilities, and health care administrators, as related to persons who knowingly release or possess information about Medi-Cal beneficiaries under Welfare and Institutions Code section 14100.2(h), as well as causes of action arising out of Welfare and Institutions Code section 14100.2, so long as any inadvertent, unauthorized release of confidential information occurs during the good faith provision of telehealth services.
- Breach notification liability relaxed. The Order suspends civil penalties for health care facilities and providers that fail to timely notify individuals whose information “was, or is reasonably believed” to have been acquired by an unauthorized person as otherwise required under Civil Code sections 1798.29 and 1798.82, so long as the inadvertent, unauthorized access or disclosure occurred during the good faith provision of telehealth services. Depending on the circumstances, these provisions generally require notification of data breaches either in the “most expedient time possible and without unreasonable delay” or “immediately.” The Order also suspends any cause of action arising out of these sections so long as the inadvertent, unauthorized access or disclosure occurred during the good faith provision of telehealth services.
- Administrative penalties and causes of action arising out of Health and Safety Code sections 1280.15 and 1280.17 suspended. The Order suspends administrative penalties under Health and Safety Code (H&S Code) section 1280.17 for health care providers that fail to protect and safeguard health information from unauthorized access or disclosure, and suspends causes of action arising out of this section related to unauthorized access or disclosure. The Order also suspends causes of action arising out of, and administrative penalties associated with, H&S Code section 1280.15, which requires certain clinics, health facilities, home health agencies, and hospice providers to prevent unlawful or unauthorized access to, and use or disclosure of, patient medical information. The Order further extends breach reporting requirements under H&S Code section 1280.15, which, under certain circumstances, requires notice to patients or the Department of Public Health of unauthorized access or disclosures within 15 days. The Order extends this notice requirement to within 60 days. Each of these changes only applies when a violation stems from the good faith provision of telehealth services.
- Relaxed discipline for unprofessional conduct. The Order makes clear that noncompliance with the suspended requirements addressed in the Order will not form the basis for professional conduct violations or discipline under article 10.5 of the California Business and Professions Code, or other applicable law, so long as the violation arises out of the good faith provision of telehealth services. This assures that medical professionals will not face professional liability or discipline for telehealth services that are provided consistent with the Order.
The Order repeatedly invokes “good faith provision of telehealth services” as key operative language, but the Order does not clearly define that phrase for the purposes of compliance. The Order defines “telehealth services” to include the telehealth provision of “behavioral or mental health services” in addition to “medical, surgical, or other health care services” but does not provide clarification regarding what would constitute “good faith.” The Order’s reference to the HHS Notice of Enforcement Discretion may suggest that the Order intends to construe “telehealth” and “good faith” consistent with that federal agency. Notably, since issuing that notice, HHS has provided a definition of “telehealth” and examples of what constitutes the “bad faith” provision of telehealth service in FAQ guidance.
Taken together, the foregoing relaxations of California laws and penalties associated with telehealth should lend some comfort and latitude for applicable health care entities engaged in telehealth services during the COVID-19 pandemic. Nonetheless, California health entities engaged in telehealth should exercise caution and prudence in furnishing such services to remain within the “good faith” exception of the Order, and to ensure the continued privacy of personal information during the COVID-19 pandemic and beyond.