Telehealth Regulation (Covid Updates): Privacy, Security & HIPAA

Posted: April 01, 2020

Looking for a telemental health partner for Fall 2020 that is specialized in Higher Ed? Book a call with our Partnerships team here or email us at


This blog is co-authored by Mantra Health, a telemental health and software platform company focused on serving the needs of higher education, and Epstein Becker Green, a national law firm with an expertise in the provision of health care services in higher education environments.   


In early March 2020, the federal government officially declared the novel coronavirus (“COVID-19”) outbreak a national emergency (1), and the U.S. Department of Health and Human Services (“HHS”) declared the COVID-19 crisis a public health emergency under Section 319 of the Public Health Service Act. (2) These events resulted in a myriad of changes to federal laws related to telehealth, as well as many related changes at the state level. These changes have prompted an influx of questions from mental health care providers who are pivoting to telehealth as their sole modality for providing care. This is particularly true in the higher education setting where university and college students and staff have been evacuated to their homes or other safe environments and education continues on a remote access basis.

This blog series, published by Mantra Health and Epstein Becker Green, was initiated in response to questions from the field of higher education mental health providers who are incorporating telehealth into their settings while concurrently adjusting to support a remote campus. Mantra Health and Epstein Becker Green will be publishing a series of three posts that will cover a range of changes in federal and state laws related to the use of telehealth, including:

  1. Blog 1: Professional licensure, state-specific definitions of telehealth, and acceptable telehealth modalities and platforms
  2. Blog 2: Privacy and security regulations pursuant to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
  3. Blog 3: Remote prescribing and managing high risk patients

Overview of Key Regulatory Changes

As mentioned in our first blog post, the Centers for Medicare & Medicaid Services (“CMS”) has made significant changes to its telehealth coverage and reimbursement rules in response to COVID-19, including but not limited to:

  • Waiver of the requirement that providers have a valid license for the state in which they provide care (3); and
  • Expansion of the list of acceptable platforms upon which telehealth services may be provided. (4)

Similarly, the Office for Civil Rights (“OCR”) within the U.S. Department of Health and Human Services (“HHS”) has issued guidance related to the application of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) rules during the COVID-19 national public health emergency time period. (5-6) Per OCR’s guidance, these changes include, but are not limited to:

  • Expansion of the list of acceptable platforms upon which telehealth services may be provided;
  • Statements that penalties for HIPAA non-compliance will not be enforced, and that audits will not be conducted;  and
  • Suggestions regarding the locations from which providers can conduct telehealth visits, and related guidance regarding ways to maintain the privacy during such sessions.

FAQs from Higher Education Providers: Telemental Health Regulatory Considerations

Some elements of HIPAA are relaxed, but do I still need to maintain some level of privacy and protection of PHI?

Privacy and Confidentiality of PHI

As college and university mental health care providers transition to virtual communications with students who utilize their services, the basic practices of privacy and security of the records (whether under HIPAA or the Family Educational Rights and Privacy Act (“FERPA”), including unauthorized access, sharing and de-identification of patient information, and data security should continue to be followed. The mitigating circumstances of the COVID-19 national public health emergency should not impact or modify those practices. Providers should continue to incorporate the basic rules of confidentiality into practice in order to avoid a potential breach of privacy. (6-7) Such rules include:

  • Using unique passwords for each employee accessing the telehealth platform;
  • Maintaining privacy during interactive audio-video and interactive audio sessions, not only in the space where the provider is located but in the space where the student is located (by reminding and encouraging students to take such precautions prior to starting sessions); 
  • Using lowered voices and avoiding the use of speakerphones, or recommending that students move to a reasonable distance from others when discussing PHI;
  • Documenting and maintaining records concerning all telehealth encounters in the electronic health record (“EHR") system;
  • Restricting access to student medical records to authorized members of the treatment team. 

Communication with Out-of-network Providers

In light of COVID-19, the widespread movement of students from college and university campuses to their respective remote locations may require transfers of care to local providers for certain students, especially if risk levels increase as discussed in our first post. At a minimum, continuity of care should be preserved to the extent possible under all applicable regulations, which may include sharing medical records, existing prescriptions, or other important treatment information with a local referral. As a standard practice, providers always should obtain a student’s consent to disclose information to an external, referral provider. (8) Written consent, which is standard practice, often is not feasible in a remote environment. During the COVID-19 national public health emergency, documentation of verbal consent may be sufficient, particularly as it relates to an emergent situation,9 but providers are encouraged to check applicable state consent laws to confirm how different states have shifted these requirements in light of the current situation.

Business Associate Agreements

Although HIPAA non-compliance penalties for using telehealth technology in good faith are not expected to be enforced during the COVID-19 national public health emergency period, (5) we can assume that HIPAA rules and requirements will resume in full force once this period is over. For example, a business associate agreement (“BAA”) is not required in light of the COVID-19 emergency for a provider’s telehealth technology of choice; yet, in anticipation of a “return to normal” with respect to HIPAA requirements, we recommend that colleges and universities consider entering into a BAA with the chosen telehealth vendor, if not already signed, to avoid operational disruption following the conclusion of the current national emergency period by ensuring a HIPAA compliant telemedicine platform for students is in place when the waiver is lifted. 

What else related to HIPAA still stands?

A majority of states require providers to obtain informed consent prior to starting a telemental health visit. While a number of states permit providers to maintain documentation of verbal consent, some states (for example, Idaho (10) and Delaware (11)) do require that providers obtain written consent.

On a practical level, providers should have students electronically sign consent forms prior to receiving treatment, or should establish documentation in their EHR that a conversation about informed consent took place verbally. Consider including the following elements when documenting informed consent (12) to ensure the student understands the risks and benefits of telehealth:

  • What is telehealth?
  • What are the expected benefits and risks associated with receiving care through telehealth?
  • What security and privacy measures will be taken during the telehealth visit?

Our next and final blog post in this series will focus on changes made in the wake of the COVID-19 national public health emergency to regulations and other requirements related to remote prescribing and managing high risk patients.

The above information has been reported to the best of our knowledge, and with the understanding that both federal and state guidance continues to evolve rapidly. We recommend referring to relevant federal and state government websites frequently (e.g., HHS, CMS, DEA, OCR, SAMHSA) for the most current guidance. To stay up to date with the latest regulatory changes, reference Epstein Becker Green’s Coronavirus Resource Center. 


  1. The White House. Published on March 13, 2020. Accessed at:
  2. U.S. Department of Helath and Human Services. Published January 31, 2020. Accessed at:
  3. U.S. Department of Helath and Human Services. Published March 13, 2020. Accessed at:
  4. The Centers for Medicare and Medicaid Services. Published on: XXX. Accessed at:
  5. The Office for Civil Rights, Department of Health and Human Services. Accessed at:
  6. The Office for Civil Rights, Department of Health and Human Services. Published on March 20, 2020. Accessed at:
  7. The Office for Civil Rights, Department of Health and Human Services. Accessed at:
  8. The Office of the National Coordinator for Health Information Technology. Last updated September 19, 2018. Accessed at:
  9. The Office for Civil Rights, Department of Health and Human Services. Published February 2020. Accessed at:
  10. State of Idaho, Division of Occupational and Professional Licenses. Published on May 6, 2016. Accessed at:
  11. State of Delaware: The Official Website of the First State, Division of Professional Regulation. 9.0 Code of Ethics. Accessed at:
  12. Center for Connected Health Policy. Accessed at: