What may constitute bad faith in the provision of telehealth by a covered health care provider, which would not be covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

OCR would consider all facts and circumstances when determining whether a health care provider's use of telehealth services is provided in good faith and thereby covered by the Notice. Some examples of what OCR may consider a bad faith provision of telehealth services that is not covered by this Notice include:

• Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
• Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
• Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e.,based on documented findings of a health care licensing or professional ethics board); or
• Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a public chat room, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.