Member Article

Amidst continuing COVID-19 concerns, regulators issued certain waivers of HIPAA requirements and penalties as well as additional guidance applicable during this public health emergency.

HIPAA Enforcement Discretion for Telehealth.As discussed further in this issue’s feature article, effective March 17, 2020, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued a Notification of Enforcement Discretion (“Notice”) stating that it will not impose penalties for noncompliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) against health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notice applies to telehealth provided for any reason, regardless of whether the services relate to the diagnosis and treatment of COVID-19.

The OCR specified that a covered health care provider may provide telehealth services through any non-public facing remote communication product, including popular applications that allow for chats (e.g., Facebook Messenger video chat or Skype). However, health care providers should not use certain video communication that are public facing (e.g., Facebook Live, Twitch, and TikTok). OCR also will not impose penalties against healthcare providers for the lack of a business associate agreement (“BAA”) with a video communication vendor or any other noncompliance with the HIPAA regulations that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. For healthcare provider seeking additional privacy protections, the Notice provided a list of vendors that represent that they provide HIPAA-compliant video communication products and will enter into HIPAA-compliant BAAs. These vendors include, among others, Skype for Business, Zoom for Healthcare, and Doxy.me. See the Notice and FAQ for more information.

Limited Waiver of HIPAA Sanctions and Penalties. Effective March 15, 2020, in response to the President’s declaration of a nationwide emergency and the Secretary of HHS’ earlier declaration of a public health emergency on January 31, 2020, the Secretary exercised its authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

• the requirement to obtain a patient's agreement to speak with family members or friends involved in the patient’s care.See45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory.See45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices.See45 CFR 164.520.
• the patient's right to request privacy restrictions.See45 CFR 164.522(a).
• the patient's right to request confidential communications.See45 CFR 164.522(b).
  
  

The waiver only applies (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. See the Waiver for more information.

HIPAA Privacy Guidance During COVID-19.In February 2020, OCR released a bulletin to remind covered entities and business associates of the ways patient information may be shared under HIPAA in an outbreak of infectious disease or emergency situation. For example:

• disclosures about the patient as necessary to treat that patient or another patient.See45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.
• disclosures for public health activities, including:
  • To a public health authority, such as the CDC or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.See45 CFR §§ 164.501 and 164.512(b)(1)(i).
  • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.See45 CFR 164.512(b)(1)(i).
  • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.See45 CFR 164.512(b)(1)(iv).
• disclosures to a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. These disclosures, when necessary, could involve notification to the police, press or the public at large.See45 CFR 164.510(b).
• disclosures to anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.See45 CFR 164.512(j).
  
  

The bulletin also reminded covered entities that except in limited circumstances, disclosures to the media or public at large about an identifiable patient are generally prohibited without the patient’s written authorization, and providers are still expected to comply with the minimum necessary standard and implement reasonable safeguards to protect patient information during this time.

Finally, the bulletin reiterated that HIPAA applies only to covered entities (health plans, healthcare clearinghouses, and healthcare providers that conduct one or more covered healthcare transactions electronically) and business associates (persons or entities that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information). While HIPAA often does not apply to employers who receive health information directly from their employees (unless, for example, the employer is a healthcare provider providing healthcare services to its own employees or the employer learned of the healthcare item or service through a health insurance claim filed by the employee), other state and federal privacy laws may apply. Accordingly, employers should exercise caution when sharing individually identifiable health information of their employees. See Guidance for more information.