HHS Expands HIPAA Enforcement Discretion During COVID-19

April 21, 2020

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has issued further notifications of enforcement discretion related to compliance with the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA).

Since the outbreak of COVID-19, OCR has issued numerous guidance documents indicating that it will exercise enforcement discretion in applying certain provisions of HIPAA in particular contexts, including in connection with telehealth services and hospital operations. A discussion of these prior notices is available in a previous article.

OCR has now issued additional notices of enforcement discretion regarding use and disclosure of protected health information (PHI) by business associates and community-based testing sites. Both the previous and newly announced OCR guidance confirms that HIPAA still applies during the pandemic, but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

OCR Enforcement Discretion for Business Associates

OCR issued a notification on April 2, 2020, announcing it would relax enforcement of the Privacy Rule as it applies to the use and disclosure of PHI by business associates in order to aid federal and state health authorities and oversight agencies in addressing the COVID-19 crisis. The Privacy Rule, under normal circumstances, allows a business associate to use and disclose PHI for public health and oversight purposes only if permitted by a business associate agreement with the applicable covered entity. Many federal and state agencies, including the Centers for Disease Control and Prevention and the Centers for Medicare & Medicaid Services, have requested PHI from business associates for public health purposes, including public health data analytics, in an effort to address COVID-19. Many business associates have been reluctant to provide the requested information, however, because it is not expressly permitted by business associate agreements governing their use and disclosure of PHI.

OCR’s notification states that it will not impose penalties for uses and disclosures of PHI for public health activities against a business associate or covered entity under the Privacy Rule provided that (1) the business associate makes a good-faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); and (2) the business associate informs the covered entity within 10 calendar days after the use or disclosure occurs.

OCR has made it clear that this enforcement discretion does not apply to other requirements or obligations under the Privacy Rule or any compliance obligations or prohibitions under the HIPAA Security and Breach Notification Rules.

OCR Enforcement Discretion Regarding Community-Based Testing Sites

In another notification of enforcement discretion, OCR stated that it will not impose penalties for noncompliance with the requirements of the HIPAA Privacy, Security, and Breach Notification Rules against covered entities and business associates in connection with their good-faith operation of community-based testing sites (CBTS). The enforcement discretion is effective retroactive to March 13, 2020. For the purposes of this enforcement discretion, CBTS include mobile, drive-thru and walk-up sites providing COVID-19 specimen collection and testing. According to OCR’s notification, the good-faith operation of CBTS includes all activities that support the collection of specimens for COVID-19 testing.

While OCR will not impose penalties for violations of HIPAA in connection with the operation of CBTS, OCR recommends that providers operating CBTS continue to implement reasonable safeguards to protect PHI. Some examples of these safeguards include setting up opaque barriers to protect individuals’ identities during the collection of specimens, posting signage prohibiting filming of the CBTS and/or their patients, using secure technology at CBTS for recording and transmitting electronic PHI, and making notices of privacy practices readily viewable or available for individuals approaching CBTS.

It is important to note that this enforcement discretion does not apply to the activities of a covered entity or business associate not directly connected with the good-faith operation of CBTS. For example, a retail pharmacy participating in the operation of CBTS could still be subject to civil monetary penalties for HIPAA violations that are unrelated to the CBTS’ operation, and a clinical laboratory whose workforce members are on-site at one or more CBTS could still be subject to penalties for HIPAA violations that occur at the lab itself.

Previous Notices of Enforcement Discretion

These notices of enforcement discretion are a continuation of OCR’s provision of flexibility to the provider community and its business partners, discussed more fully in a previous article. Covered entities and business associates should take advantage of the increased flexibility granted by OCR to respond to the COVID-19 crisis, but remember that the requirements of HIPAA continue to apply except as specifically waived and under the strict limitations set forth in the official OCR notices.

Please contact the authors for additional guidance on how these issuances and other COVID-19 considerations will affect the delivery of patient care and the related rules. McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial coronavirus-related business and legal issues.

COVID-19: Healthcare Video Alerts

In a series of video alerts, McGuireWoods’ healthcare lawyers address issues providers face and overcoming COVID-19 challenges.