Article Note: legal changes have been occurring hourly as the Trump Administration and Federal agencies respond to the COVID-19 pandemic. This Alert was originally issued on March 13, 2020, with content current as of 3:45 p.m. EST. It was subsequently updated as of 9:30 p.m. EST March 16, 2020, 3:45 p.m. EST March 17, 2020, and 8:45 p.m. EST March 17, 2020. We will continue to monitor and strive for timely updates as applicable.
In this update, we incorporate information on waivers of penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency (announced March 17, 2020). OCR’s evening announcement expands on the enforcement discretion related to telehealth announced by CMS earlier in the day.
Healthcare providers are on the front lines of the rapidly-evolving COVID-19 pandemic. Public anxiety is running high, and media scrutiny is intense. As providers are faced with escalating inquiries and public demand for information, they must remain cognizant of patient privacy rights and vigilant in their HIPAA compliance. It is critical to understand what information can be disclosed and under what circumstances; below we outline important tips to assist providers in maintaining compliance:
1. Emergencies do not exempt compliance – but limited waivers of sanctions and penalties for certain compliance requirements have been issued.
It is important to remember that HIPAA protections are not automatically waived during an emergency like the COVID-19 pandemic. The requirements of the HIPAA rules generally remain in place. However, in limited circumstances, the Secretary of HHS does have the authority to waive sanctions and penalties for noncompliance with certain provisions of the rules.
Accordingly, pursuant to President Trump’s declaration of a national emergency on March 13, 2020, and HHS Secretary Azar’s earlier declaration of a public health emergency, HHS has announced two areas in which it is waiving sanctions and penalties during the period of declared emergency:
HHS announced that it will waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
The waiver became effective on March 15, 2020, retroactive to March 1, 2020, and a bulletin discussing the waiver can be accessed here. When the Secretary issues such a waiver, it only applies:
On March 17, 2020, HHS announced that it will waive sanctions and penalties for HIPAA violations against health care providers that provide telehealth services to patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.
Specifically, OCR stated, “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
Importantly, OCR explained:
In contrast to the above, providers may not use Facebook Live, Twitch, TikTok, and similar video communication applications in the provision of telehealth because they are public facing.
More details, including the press releases, fact sheets, and FAQs for the applicable announcements, can be found here and here.
2. Certain information can be shared pursuant to limited HIPAA exceptions, or pursuant to a HIPAA-compliant Authorization.
HHS issued a helpful bulletin via its Privacy and Security listservs on February 3, 2020, addressing ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation. The bulletin is available here.
3. Innovate and adapt – but use caution.
With the spread of COVID-19, providers may be looking for ways to help patients that will also decrease exposure and community spread, such as telemedicine. However, even as certain requirements are modified in the face of the pandemic, HIPAA as a whole has not been waived as of the time of this alert, and the only waivers of sanctions, penalties, and compliance requirements are those described above. Thus, any telemedicine encounter should be conducted in a HIPAA-compliant way within the bounds of the waivers. Further, covered entities and business associates should keep in mind that the requirements and safeguards of the HIPAA Privacy and Security Rules will likely return to full enforcement following the expiration of the waivers.
4. Seek counsel where greater clarity is needed.
Providers should carefully review the HIPAA regulations and HHS’s guidance, and consider consulting qualified legal counsel if they are unsure about how HIPAA applies, such as whether a use or disclosure is permitted, whether an authorization is compliant, or whether a business associate agreement is required. Guidance from regulators is evolving as the situation continues to develop, and providers should stay informed and monitor for updates.