Article Note: legal changes have been occurring hourly as the Trump Administration and Federal agencies respond to the COVID-19 pandemic. This Alert was originally issued on March 13, 2020, with content current as of 3:45 p.m. EST. It was subsequently updated as of 9:30 p.m. EST March 16, 2020, 3:45 p.m. EST March 17, 2020, and 8:45 p.m. EST March 17, 2020. We will continue to monitor and strive for timely updates as applicable.
In this update, we incorporate information on waivers of penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency (announced March 17, 2020). OCR’s evening announcement expands on the enforcement discretion related to telehealth announced by CMS earlier in the day.
Healthcare providers are on the front lines of the rapidly-evolving COVID-19 pandemic. Public anxiety is running high, and media scrutiny is intense. As providers are faced with escalating inquiries and public demand for information, they must remain cognizant of patient privacy rights and vigilant in their HIPAA compliance. It is critical to understand what information can be disclosed and under what circumstances; below we outline important tips to assist providers in maintaining compliance:
1. Emergencies do not exempt compliance – but limited waivers of sanctions and penalties for certain compliance requirements have been issued.
It is important to remember that HIPAA protections are not automatically waived during an emergency like the COVID-19 pandemic. The requirements of the HIPAA rules generally remain in place. However, in limited circumstances, the Secretary of HHS does have the authority to waive sanctions and penalties for noncompliance with certain provisions of the rules.
Accordingly, pursuant to President Trump’s declaration of a national emergency on March 13, 2020, and HHS Secretary Azar’s earlier declaration of a public health emergency, HHS has announced two areas in which it is waiving sanctions and penalties during the period of declared emergency:
- Limited waivers of penalties for hospitals for noncompliance with certain Privacy Rule requirements (announced March 16, 2020); and
- Waivers of penalties for HIPAA violations for health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype (announced March 17, 2020).
HHS announced that it will waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
The waiver became effective on March 15, 2020, retroactive to March 1, 2020, and a bulletin discussing the waiver can be accessed here. When the Secretary issues such a waiver, it only applies:
- in the emergency area identified in the public health emergency declaration;
- to hospitals that have instituted a disaster protocol; and
- for up to 72 hours from the time the hospital implements its disaster protocol. Further, when the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
On March 17, 2020, HHS announced that it will waive sanctions and penalties for HIPAA violations against health care providers that provide telehealth services to patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.
Specifically, OCR stated, “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
Importantly, OCR explained:
- Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
- Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
- However, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
In contrast to the above, providers may not use Facebook Live, Twitch, TikTok, and similar video communication applications in the provision of telehealth because they are public facing.
More details, including the press releases, fact sheets, and FAQs for the applicable announcements, can be found here and here.
2. Certain information can be shared pursuant to limited HIPAA exceptions, or pursuant to a HIPAA-compliant Authorization.
HHS issued a helpful bulletin via its Privacy and Security listservs on February 3, 2020, addressing ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation. The bulletin is available here.
- The bulletin addresses how covered entities may use and disclose protected health information: about the patient as necessary to treat the patient or to treat a different patient; for permissible public health activities, such as disclosure to the CDC or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability; to family, friends, and others involved in an individual’s care and for notification purposes; and for certain other limited uses and disclosures.
- Each of these exceptions has specific requirements and elements that must be met for the use or disclosure to be permissible under HIPAA, and covered entities and business associates should not forget the general rule that disclosure of patient-identifiable information to the media or the public at large is prohibited without the patient’s (or HIPAA-compliant Personal Representative’s) written authorization.
- This means that information about an identifiable patient such as specific tests, test results, or details of a patient’s illness must remain confidential unless an exception applies or there is a HIPAA-compliant authorization in place. The requirements for a valid HIPAA authorization can be found at 45 CFR 164.508.
3. Innovate and adapt – but use caution.
With the spread of COVID-19, providers may be looking for ways to help patients that will also decrease exposure and community spread, such as telemedicine. However, even as certain requirements are modified in the face of the pandemic, HIPAA as a whole has not been waived as of the time of this alert, and the only waivers of sanctions, penalties, and compliance requirements are those described above. Thus, any telemedicine encounter should be conducted in a HIPAA-compliant way within the bounds of the waivers. Further, covered entities and business associates should keep in mind that the requirements and safeguards of the HIPAA Privacy and Security Rules will likely return to full enforcement following the expiration of the waivers.
4. Seek counsel where greater clarity is needed.
Providers should carefully review the HIPAA regulations and HHS’s guidance, and consider consulting qualified legal counsel if they are unsure about how HIPAA applies, such as whether a use or disclosure is permitted, whether an authorization is compliant, or whether a business associate agreement is required. Guidance from regulators is evolving as the situation continues to develop, and providers should stay informed and monitor for updates.