March 27, 2020
Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.
1. OCR Enforcement Discretion Regarding Telehealth
On Feb. 3, 2020, HHS released a guidance bulletin reminding all covered entities and their business associates that the requirements of HIPAA still apply during a national public health emergency, such as the COVID-19 pandemic. The Feb. 3 guidance and specific compliance matters are discussed in more detail below. However, on March 17, 2020, OCR issued a notification that it will exercise its enforcement discretion specifically with respect to telehealth services during the COVID-19 public health emergency. OCR followed the notification with an FAQ. In the notice, OCR recognized that some of the remote communication technologies that providers use to connect with patients to provide telehealth services may not be fully compliant with HIPAA. OCR stated, however, that it will exercise enforcement discretion by not imposing any penalties for noncompliance with regulatory requirements under HIPAA in connection with the good-faith provision of telehealth during the COVID-19 nationwide public health emergency.
OCR clarified that it would consider facts and circumstances of each individual case when considering whether a health care provider used good faith in connection with providing telehealth services. OCR provided examples of what would be considered “bad faith,” including further uses of protected health information (PHI) transmitted through telehealth such as sale of the data; violations of state licensing laws or standards that result in disciplinary action related to the treatment offered or provided via telehealth; and the use of public-facing remote communication products discussed below. OCR’s enforcement discretion extends to all provisions of HIPAA applicable to telehealth including the Privacy, Security and Breach Notification Rules. OCR also clarified that the enforcement discretion applies to all telehealth services rendered during this time, regardless of whether such telehealth services are specifically related to the diagnosis and treatment of COVID-19.
OCR explained that, despite its exercise of enforcement discretion, providers who furnish telehealth services must use nonpublic-facing audio and video telecommunication technologies with patients, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype. Providers should not use public-facing telecommunication technologies — such as Facebook Live, Twitch or TikTok — to communicate with patients, as communications on these social media platforms are not private and shared widely. OCR encouraged all telehealth providers to continue using the most secure technology available and to enter into proper business associate agreements with technology vendors whenever possible. However, consistent with its exercise of enforcement discretion, OCR emphasized that it will not impose penalties against covered healthcare providers for the lack of a business associate agreement with video communication vendors. OCR recommended that providers notify patients that any unapproved third-party applications potentially introduce privacy risks, and suggested that providers enable all available encryption and privacy modes when using such applications. More information about the OCR’s guidance on remote communications for telehealth services can be found here and here.
2. HHS Privacy Rule Waiver for Hospitals in Disaster Protocol
In addition to relaxing HIPAA enforcement for telehealth services, HHS Secretary Alex Azar issued a waiver of certain provisions of the HIPAA Privacy Rule under his authority granted by the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act, effective March 15, 2020. Azar waived sanctions and penalties against covered hospitals that do not comply with the following requirements of the Privacy Rule: (1) obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care; (2) honoring a request to opt out of the facility directory; (3) distributing a notice of privacy practices; (4) honoring the patient’s right to request privacy restrictions; and (5) honoring the patient’s right to request confidential communications. This waiver only applies to hospitals that have instituted a disaster protocol, and only in the emergency area identified in the public health emergency declaration, i.e., treatment of patients for COVID-19. Further, the waiver only applies for up to 72 hours from the time the hospital implements its disaster protocol. Except as specifically waived and under these strict limitations, the requirements of the Privacy Rule continue to apply.
3. HHS Privacy Rule Emergency Provisions Guidance Bulletin
On Feb. 3, 2020, HHS released a guidance bulletin reminding all covered entity healthcare providers and their business associates that the HIPAA Privacy Rule still applies during a national health emergency, such as the COVID-19 pandemic, and how PHI can permissibly be disclosed during this time. While this guidance was released before the rapid spread of the COVID-19 pandemic in the United States, the guidance is still applicable to the extent it has not been specifically superseded by the subsequent issuances discussed above. While the waiver discussed above waives certain Privacy Rule provisions for hospitals in limited circumstances, it does not suspend the Privacy Rule. The guidance addresses a few particularly relevant provisions of the Privacy Rule that covered entities and business associates should remember during this time:
Please contact the authors for additional guidance on how these issuances and other COVID-19 considerations will affect the delivery of patient care and the related rules. McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial coronavirus-related business and legal issues.