Over the past several weeks, the Office for Civil Rights (“OCR”), the entity responsible for compliance with and enforcement of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”), has issued several notices regarding HIPAA in light of the current COVID-19 pandemic. This article will summarize some of the recent notices.

February 3, 2020: On February 3, 2020, OCR issued its first bulletin regarding HIPAA privacy requirements and COVID-19 to ensure that HIPAA covered entities and their business associates were aware of the ways that patient information may be shared in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the HIPAA Privacy Rule are not set aside during an emergency. The February 3^rd bulletin addressed sharing information for treatment purposes, public health activities (i.e., to a public health authority such as the CDC or health department and to persons at risk), disclosures to family, friends, and others involved in an individual’s care and for notification purposes, to disaster relief organizations, to prevent a serious and imminent threat, and facility directories. The February 3^rd bulletin reminded providers that, when applicable, they must adhere to the minimum necessary standards, but that providers may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. Further, the bulletin advised that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures and must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronically protected health information. The Bulletin is available here.

March 16, 2020: On March 16, 2020, OCR issued another bulletin this time on the limited waiver of HIPAA sanctions and penalties during a nationwide public health emergency. While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule. In response to the declaration of a nationwide emergency concerning COVID-19, the Secretary of HHS has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

• the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
• the requirement to honor a request to opt out of the facility directory;
• the requirement to distribute a notice of privacy practices;
• the patient’s right to request privacy restrictions; and
• the patient’s right to request confidential communications.

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol. The bulletin is available here.

March 17, 2020: On March 17, 2020, OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency. OCR stated that it would relax its enforcement actions with regard to compliance with certain aspects of HIPAA (and not enforce penalties) in order to allow providers to better treat their patients via telehealth. A health care provider that wants to use audio or video communication technology to provide telehealth to patients during the public health emergency can use any non-public facing remote audio or video communication product that is available to communicate with patients. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. Pursuant to this notice, health care providers may use applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules.  However, communication applications that are public facing should not be used. OCR further stated that it would not impose penalties against health care providers for the lack of a Business Associate Agreement with video communication vendors. The full notice is available here.

March 20, 2020: On March 20, 2020, OCR issued additional guidance on telehealth during the COVID-19 nationwide public health emergency. OCR had previously announced that it was exercising its enforcement discretion to not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth during the COVID-19 public health emergency. The new guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR is supporting the good faith provision of telehealth.  Some of the FAQs include:

• What covered entities are included and excluded under the notification?
• Which parts of the HIPAA Rules are included in the notification?
• Does the notification apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?
• When does the notification expire?
• Where can health care providers conduct telehealth?
• What is a “non-public facing” remote communication product?

The FAQs on telehealth remote communications may be found here.

[View source.]