Caitlin Walsh


From smart phones to wearable gadgets, consumer technology is ubiquitous in contemporary American society. By contrast, virtual doctor’s appointments and prescription consultations have, until recently, been comparatively rare.[1]Virtual healthcare appointments belong to a classification of healthcare services called “telehealth” services, which the U.S. Department of Health and Human Services (“HHS”) defines as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.”[2] The onset of Covid-19 has prompted a dramatic rise in the number of telehealth services offered by U.S. healthcare providers, both out of necessity and in response to patient interest. By May of 2020, an estimated 46% of U.S. healthcare consumers were using telehealth services in place of in-person healthcare appointments, up from 11% in 2019.[3] Similarly, while only 0.1% of Medicare primary care visits were conducted via telehealth in February of 2020, 44% of such visits were conducted via telehealth in April of the same year.[4]

This tectonic shift in the telehealth landscape has come about largely due to HHS’s Notification of Enforcement Discretion for Telehealth,[5] issued in mid-March of 2020. The notification relayed that HHS would temporarily refrain from enforcing violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) rules[6] in order to facilitate the “good faith provision of telehealth during the COVID-19 nationwide public health emergency.”[7]Specifically, the HHS notification waived the HIPAA Privacy Rule’s business associate agreements provision, which requires healthcare providers to enter into HIPAA-compliant contractual relationships with companies providing digital services;[8] such agreements are designed to ensure consumer privacy and the proper usage of confidential, protected health information.[9] As a result of the HHS waiver, doctors and other healthcare professionals can presently use digital communications platforms like Skype, WhatsApp, or texting functions to reach patients; they can do so even when the companies operating those platforms do not have specific business associate agreements with healthcare providers and, thus, may lack the corresponding data privacy protections.[10] Additionally, the HHS notification allows physicians to store and handle patient images and personal health information while rendering telehealth services “in good faith.”[11]

Without fear of penalty for the “good faith” provision of telehealth services, healthcare providers around the country rapidly expanded telehealth offerings to their suddenly homebound patients.[12] Providers and patients met for appointments or exchanged protected health information over private Zoom meetings, FaceTime sessions, and direct messaging platforms—many of which do not meet HIPAA privacy and security standards.[13]

To facilitate further innovation in, and expand patient access to, remote telehealth services as the world continues to grapple with Covid-19, HHS can create a regulatory sandbox.[14] A regulatory sandbox is a “testing grounds for new business models that are not protected by current regulations.” The purpose of a regulatory sandbox “is to adapt compliance with strict … regulations to the growth and pace of the most innovative companies, in a way that doesn’t smother the … sector with rules, but also doesn’t diminish consumer protection.”[15] The concept balances innovation with consumer protection by allowing firms to operate new products or services in a relaxed, but closely monitored, regulatory environment.[16] Regulatory sandboxes have popped up in a variety of jurisdictions worldwide, from Arizona to the United Kingdom, though they have mostly been enacted to support the growth of the Financial Technology(“FinTech”) sector.[17] However, Singapore has recently created a regulatory sandbox for telemedicine services; [18] if ultimately successful, it could serve as a model for a similar policy in the United States.

Similarly, the Consumer Financial Protection Bureau (“CFPB”) offers a U.S. federal agency-based template for regulatory sandboxes. The CFPB has a “No-Action Letter Policy,” which allows financial firms to request that the agency take no enforcement action against a certain policy due to either ambiguities in the legality of the practice or a significant practical benefit that outweighs countervailing concerns.[19] Further, the CFPB has adopted a “Compliance Assistance Sandbox,” in which “companies can obtain a safe harbor for testing innovative products and services for a limited period of time while sharing data with the Bureau.”[20]

In theory, regulatory sandboxes, such as that of the CFPB, balance innovation with consumer protection[21]—a balance that, according to critics, has eluded HIPAA since its inception. In practice, regulatory sandboxes are a novel scheme with only four years of real-world application.[22] Still, early evidence from the FinTech sector suggests that regulatory sandboxes benefit individual firms, drive efficiency and innovation in the market, and “build capacity within regulatory institutions” so that such institutions can implement more effective policy schemes.[23] With a global pandemic still raging and HHS’s enforcement discretion already in force to facilitate access to much-needed telehealth services, HHS may have little to lose and much to gain from implementing an experimental and collaborative program like the regulatory sandbox.

CFPB’s statutory authority to create its “No-Action Letter Policy” and “Compliance Assistant Sandbox” are rooted in an expansive reading of its supervisory, advisory, and enforcement authorities.[24] As a 2018 CFPB policy paper on the “No-Action Letter Policy” elaborates: “Congress has given the Bureau a variety of authorities under title X of the Dodd-Frank Act and the enumerated consumer laws that it can exercise to promote its purpose and objectives, including facilitating innovation. These authorities include supervision and enforcement authority, and the authority to issue orders and guidance.”[25] In cases where “willful neglect” of HIPAA obligations is not involved or alleged, HHS has significant flexibility to support noncompliant providers in their attempts to become compliant.[26] Indeed, the 2013 HIPAA Omnibus Rule notes that, in cases not involving “willful neglect,” “[T]he Secretary often will still seek to correct indications of noncompliance through voluntary corrective action ….”[27] HHS can invoke its mandate to facilitate “voluntary corrective action” as justification for establishing a regulatory sandbox. In this scenario, healthcare providers would be deliberately and voluntarily working to comply with the existing regulatory regime or improve it in conjunction with regulators.

Finally, HHS can also justify its authority to adopt a regulatory sandbox by pointing to the legislative intent of HIPAA: to facilitate innovation in health portability. For instance, language in the 2013 Omnibus Rule defining “electronic media” to be regulated under HIPAA was deliberately made inclusive, not exclusive, “so as to allow for future technological innovation.”[28] Just as CFPB created its own regulatory sandbox to promote the Dodd-Frank Act’s directive on innovation, so, too, may HHS legitimately argue that creatively employing its enforcement discretion to facilitate innovation in telehealth fulfills the legislative intent of HIPAA.



[1] Oleg Bestsennyy et al., Telehealth: A Quarter-Trillion-Dollar Post-COVID-19 Reality?, McKinsey & Co. (May 29, 2020, 12:00 AM),

[2] What is Telehealth?, Office of Civil Rights (OCR), U.S. Dep’t of Health & Human Servs. (Mar. 27, 2020, 11:15 AM),,professional%20health%2Drelated%20education%2C%20and.

[3] Bestsennyy et al., supra note 1.

[4] Issue Brief: Medicare Beneficiary Use of Telehealth Visits: Early Data from the Start of the COVID-19 Pandemic, Office of the Asst. Sec’y for Planning & Evaluation (ASPE), U.S. Dep’t of Health & Human Servs. (Jul. 28, 2020),

[5] Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, Office of Civil Rights (OCR), U.S. Dep’t of Health & Human Servs. (Mar. 30, 2020, 12:00 AM),

[6] These rules are the Privacy Rule, Security Rule, and Breach Notification Rule. 45 C.F.R. §§ 160, 164.

[7] Office of Civil Rights (OCR), U.S. Dep’t of Health & Human Servs., supra note 4.

[8] Id. and 45 CFR Section 160.310. 

[9] Id.

[10] Office of Civil Rights (OCR), U.S. Dep’t of Health & Human Servs., supra note 4.

[11] Id.

[12] “The increased number of visits in the latter weeks in March, 2020 might also be related to the March 6, 2020 policy changes and regulatory waivers from Centers for Medicare & Medicaid Services§§ (1135 waivers) in response to COVID-19 […].” Lisa M. Koonin, et al., Trends in the Use of Telehealth During the Emergence of the Covid-19 Pandemic – United States, January – March 2020, 69 Morb. Mortal. Wkly Rep. 1595, 1597 (Oct. 30, 2020).

[13] Notification of Enforcement Discretion for Telehealth Remote Communications, supra note 4, at para. 6.

[14] What is a Regulatory Sandbox, BBVA (Apr. 26, 2018),

[15] Id.

[16] Id.

[17] Id.

[18] Licensing Experimentation and Adaptation Programme (LEAP)- A MOH Regulatory Sandbox, Singapore Ministry of Health,'s%20healthcare%20landscape.&text=and%20delivering%20care.-,For%20clarity%2C%20there%20is%20no%20need%20for%20providers%20to%20be,risk%2Dbased%20approach%20towards%20regulations.

[19] 12 CFR Chapter X, Policy on No-Action Letters and the BCFP Product Sandbox,

[20] Innovation at the Bureau, Consumer Financial Protection Bureau,

[21] Id.

[22] Sharmista Appaya & Mahjabeen Haji, Four Years and Counting: What We’ve Learned from Regulatory Sandboxes, World Bank (Nov. 18, 2020),

[23] Id.

[24] 12 CFR Chapter X, Policy on No-Action Letters and the BCFP Product Sandbox, supra note 131.

[25] Id.

[26] HHS Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules, supra note 23, at 5578.

[27] Id.

[28] 5575.