The COVID-19 emergency presents an unprecedented need to communicate quickly and effectively from a distance. Telehealth and telecommunications applications more broadly are poised to address the potentially crushing demand for medical care at the same time individuals are told to keep their distance. Until this recent action by the Department of Health and Human Services (HHS), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) could have been a gating obstacle to large-scale deployment of telehealth services. In recognition of this and the need for patients and providers to have streamlined communication channels, the HHS Secretary and HHS Office for Civil Rights (OCR) have taken steps to waive certain requirements under HIPAA which will significantly expand HIPAA-covered health care providers' (HCPs) ability to reach patients, and presents an unparalleled opportunity for companies who furnish these connective technologies to make a positive impact on the course of the epidemic.

Enforcement Discretion Regarding Telehealth Communications

On March 17, 2020, OCR issued a "Notification of Enforcement Discretion for remote communications during the COVID-19 nationwide public health emergency." Roger Severino, OCR's director, stated that by issuing the notification, the agency is "empowering medical providers to serve patients wherever they are during this national public health emergency," and are "especially concerned about reaching those most at risk, including older persons and persons with disabilities."¹

In short, the notification advises HIPAA-covered healthcare providers (HCPs) that OCR, which is responsible for enforcing certain privacy and security regulations under the Act, will not seek any enforcement against HCPs who use communications technologies to connect remotely with patients, even if such technologies "do not fully comply" with the requirements of the HIPAA rules. In an apparent acknowledgment of what a vital role telehealth will play both in meeting increased demand and achieving the social distancing needed to "flatten the curve," HHS expressly states the Notification applies to telehealth provided for any reason, not just treatment of conditions related to COVID-19.

Accordingly, HCPs are presently permitted to use any non-public communication technology to provide telehealth to patients during the COVID-19 emergency. HHS will suspend its enforcement for noncompliance with the HIPAA Rules in connection with the "good faith provision of telehealth." This appears to mean that it will not exercise enforcement against those either using or providing such technology services. HHS lists multiple popular, publicly-available applications that enable chat or video, including Apple FaceTime, Facebook Messenger, Google Hangouts, or Skype. However, other publicly facing apps like Facebook Live, Twitch, TikTok, and similar video communications should not be used in the provision of telehealth.

HHS continues to encourage the use of audio and video services that represent to being HIPAA-compliant and will enter into a business associate agreement, but this is no longer a gating issue. HHS states it will not impose penalties against HCPs that do not have a business associate agreement (BAA) in place with audio or video communication vendors, or any other noncompliance with the HIPAA Rules that relates to "the good faith provision of telehealth services" during the emergency. This reprieve creates a potentially vast opportunity for companies who furnish these connective technologies to make an impact in the healthcare crisis by acting as platforms for the delivery of telehealth.

A caution, however, is that while the notification removes technical HIPAA compliance as a gating issue for companies with telecommunications capabilities, they should continue to pursue robust privacy and information security measures, particularly in light of the highly-sensitive nature of health information generally, and communications regarding COVID-19 in particular. Specifically, companies should be aware that the Federal Trade Commission (FTC) has not issued similar guidance related to its enforcement discretion in this area, and therefore should assume that the FTC will continue to exercise enforcement in line with its existing guidance regarding adequate privacy and security measures. The notification also only applies to technologies used to connect providers and patients in a telehealth interaction, and therefore companies offering other services, even if COVID-19 related, are not covered by the notification at this time.

Waivers of HIPAA Privacy Rule Requirements for Hospitals

Effective March 15 and retroactive to March 1, HHS Secretary Alex Azar issued a Section 1135 waiver of sanctions and penalties for noncompliance with particular provisions of the HIPAA Privacy Rule for any hospital that has activated its disaster protocol, specifically:

• The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care. (45 CFR 164.510(b))
• The requirement to honor a request to opt out of the facility directory. (45 CFR 164.510(a))
• The requirement to distribute a notice of privacy practices. (45 CFR 164.520)
• The patient's right to request privacy restrictions. (45 CFR 164.522(a))
• The patient's right to request confidential communications. (45 CFR 164.522(b))

Existing Permissive Disclosures Related to Public Health

There are other allowance for disclosures of protected health information (PHI) for public health purposes that are not specific to the COVID-19 emergency, but always in effect. With respect to public health activities, covered entities and business associates may disclose protected health information as needed without an individual's authorization under the following conditions:

• To a public health authority, including the Centers for Disease Control and Prevention (CDC) and state or local health departments, which is otherwise authorized by law to collect or receive such information such as for the control of a disease like COVID-19. A "public health authority" includes an agency or authority of the United States government, a state, a territory, a political subdivision of a state or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. (45 CFR §§ 164.501 and 164.512(b)(1)(i))
• At the direction of a public health authority to a foreign government agency acting in collaboration with the public health authority. (45 CFR 164.512(b)(1)(i))
• To individuals at risk of contracting or spreading disease (such as COVID-19) if a specific law authorizes the covered entity (or, at the covered entity's direction, its business associate) to notify these individuals as necessary to prevent or control the spread of disease, or otherwise carry out a public health intervention or investigation. (45 CFR 164.512(b)(1)(iv))

Additional Resources

HHS has made the following COVID-19-related resources available:

• Text of the Notification of Enforcement Discretion tor Telehealth: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
• Text of the COVID-19 & HIPAA Bulletin – Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
• Clearinghouse Page for Emergency Preparedness Resources and Information: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html
• Bulletin advising on further flexibilities under HIPAA as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
• FAQ: Is the HIPAA Privacy Rule suspended during a national or public health emergency? https://www.hhs.gov/hipaa/for-professionals/faq/1068/is-hipaa-suspended-during-a-national-or-public-health-emergency/index.html

[1] See Notification of Enforcement Discretion at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.