COVID-19: HIPAA - Updates
In the context of an evolving COVID-19 response, there have between two notable regulatory developments relating to the Health Insurance Portability and Accountability Act (“HIPAA”) since the guidance issued by the Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) in February. First, OCR issued a notice of enforcement discretion on March 17, 2020, that enables greater flexibility in the use of remote communications technologies to provide telehealth services. Second, HHS issued a limited waiver of sanctions for noncompliance with certain HIPAA requirements, which gives hospitals and other covered entity providers limited reprieve from a subset of patient rights to restrict communications. Both publications provide additional insight into the agency’s position on HIPAA compliance during the pandemic.
OCR has adopted a policy of enforcement discretion for compliance with aspects of the HIPAA Security Rule by providers offering telehealth services to their patients. Given transmissibility considerations, OCR emphasized the need to ensure remote access to care for patients, especially those most at risk, regardless of whether or not the service is related to COVID-19. In its notice, OCR states that increasing access to telehealth will reduce the need for healthy or nonsymptomatic individuals to travel to facilities for health care, which in turn will help interpersonal interactions and further reduce transmission.
In exercising its enforcement discretion during the emergency, OCR will not impose penalties for telehealth services provided through noncompliant remote communications technologies if the services are provided in good faith. Specifically, OCR will permit providers to use any nonpublic facing audio or video communication technology to provide telehealth services. Notwithstanding the assurance offered through its enforcement discretion, OCR also gives providers a list of vendors who certify HIPAA compliance and are willing to enter into business associate agreements (“BAAs”). The chart below details examples of technology that can and cannot be used to provide telehealth services consistent with OCR’s notice:
|Vendors Who Provide HIPAA-Compliant Technology for Telehealth Services*||Nonpublic-Facing Technologies that Can Be Used for Telehealth Services||Public-Facing Technologies that Cannot Be Used for Telehealth Services|
|Skype for Business
Zoom for Healthcare
Google G Suite Hangouts Meet
Facebook Messenger video chat
Google Hangouts video
*Note that HHS does not endorse any vendors. Additionally, HHS has not verified any BAAs offered by vendors to ensure HIPAA compliance.
It is important to remember that despite the enforcement discretion, professional judgment must be exercised in determining whether telehealth can be used to treat or assess medical issues. Additionally, telehealth is heavily regulated by state law, and providers should ensure that they are meeting all state requirements prior to initiating telehealth services.
Limited Waiver of HIPAA Sanctions and Penalties
Following the President’s declaration of a nationwide emergency on March 13, 2020, and Secretary Azar’s previous declaration of a public health emergency on January 31, 2020, HHS recently announced that it will waive sanctions and penalties related to compliance with various HIPAA requirements. These waivers were effective March 15 and apply only:
- if noncompliance occurred “in the emergency area identified in the public health emergency declaration” (presently the entire United States);
- for hospitals that have instituted a disaster protocol; and
- for up to 72 hours from the time the hospital implements its disaster protocol.
The waiver offers practical assistance to covered entity providers through assurance that their failure to strictly comply with certain patient rights under HIPAA will not be subject to sanctions. The 72-hour limitation obviously diminishes the sustained utility of the waiver, especially given that COVID-19 is expected to be around for a significantly longer period. However, states and individual health facilities may consider submitting additional waiver requests to remove the 72-hour rule.
Specifically, where the above three conditions are met, the HHS limited waiver applies enforcement discretion to compliance with the following HIPAA Privacy Rule requirements:
- Obtaining a patient’s agreement prior to speaking with family members or friends involved in the patient’s care, see 45 C.F.R. § 164.510(b);
- Honoring a request to opt out of the facility directory, see 45 C.F.R. § 164.510(a);
- Distributing a notice of privacy practices, see 45 C.F.R. § 164.520;
- Honoring a patient’s right to request privacy restrictions, see 45 C.F.R. § 164.522(a); and
- Honoring a patient’s right to request confidential communications, see 45 C.F.R. § 164.522(b).
Noting this is a limited waiver, covered entities are reminded that reasonable administrative, technical, and physical safeguards must continue to be utilized to protect patient information. That said, HHS reiterated that under HIPAA, patient information may be used or disclosed without prior authorization for the purposes of treatment and public health activities. These and other appropriate uses and disclosures of protected health information were discussed in the February 2020 guidance. You can learn more about the February 2020 bulletin by listening to K&L Gates Triage: HIPAA Concerns in the Context of Novel Coronavirus.
While these OCR pronouncements give covered entities some additional flexibility, it is limited, and overall HIPAA requirements continue to apply. K&L Gates has created a HUB webpage to generally address the legal implications of the COVID-19 outbreak on businesses and will continue to update content of specific relevance for health care providers. Further, K&L Gates is well positioned to provide guidance to health systems and providers on the many regulatory considerations raised by the COVID-19 outbreak, as well as other matters that may arise in the current climate.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular facts or circumstances without first consulting a lawyer. Any views expressed herein are those of the author(s) and not necessarily those of the law firm's clients.