OCR HIPAA Guidance in Light of COVID-19
Over the past several weeks, the Office for Civil Rights ("OCR"), the entity responsible for compliance with and enforcement of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), has issued several notices regarding HIPAA in light of the current COVID-19 pandemic. This article will summarize some of the recent notices.
February 3, 2020: On February 3, 2020, OCR issued its first bulletin regarding HIPAA privacy requirements and COVID-19 to ensure that HIPAA covered entities and their business associates were aware of the ways that patient information may be shared in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the HIPAA Privacy Rule are not set aside during an emergency. The February 3rd bulletin addressed sharing information for treatment purposes, public health activities (i.e., to a public health authority such as the CDC or health department and to persons at risk), disclosures to family, friends, and others involved in an individual's care and for notification purposes, to disaster relief organizations, to prevent a serious and imminent threat, and facility directories. The February 3rd bulletin reminded providers that, when applicable, they must adhere to the minimum necessary standards, but that providers may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. Further, the bulletin advised that in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against impermissible uses and disclosures and must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronically protected health information. The Bulletin is available here.
March 16, 2020: On March 16, 2020, OCR issued another bulletin this time on the limited waiver of HIPAA sanctions and penalties during a nationwide public health emergency. While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule. In response to the declaration of a nationwide emergency concerning COVID-19, the Secretary of HHS has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care;
- the requirement to honor a request to opt out of the facility directory;
- the requirement to distribute a notice of privacy practices;
- the patient's right to request privacy restrictions; and
- the patient's right to request confidential communications.
The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol. The bulletin is available here.
March 17, 2020: On March 17, 2020, OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency. OCR stated that it would relax its enforcement actions with regard to compliance with certain aspects of HIPAA (and not enforce penalties) in order to allow providers to better treat their patients via telehealth. A health care provider that wants to use audio or video communication technology to provide telehealth to patients during the public health emergency can use any non-public facing remote audio or video communication product that is available to communicate with patients. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. Pursuant to this notice, health care providers may use applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. However, communication applications that are public facing should not be used. OCR further stated that it would not impose penalties against health care providers for the lack of a Business Associate Agreement with video communication vendors. The full notice is available here.
March 20, 2020: On March 20, 2020, OCR issued additional guidance on telehealth during the COVID-19 nationwide public health emergency. OCR had previously announced that it was exercising its enforcement discretion to not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth during the COVID-19 public health emergency. The new guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR is supporting the good faith provision of telehealth. Some of the FAQs include:
- What covered entities are included and excluded under the notification?
- Which parts of the HIPAA Rules are included in the notification?
- Does the notification apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?
- When does the notification expire?
- Where can health care providers conduct telehealth?
- What is a “non-public facing” remote communication product?
The FAQs on telehealth remote communications may be found here.
March 24, 2020: On March 24, 2020, OCR issued guidance designed to help first responders and others receive PHI regarding patients infected with or exposed to COVID-19. The guidance explains the circumstances under which a covered entity may disclose PHI, such as the name or other identifying information about individuals, to law enforcement, paramedics, other first responders, and public health authorities without HIPAA authorization, and provides examples including:
- When needed to provide treatment;
- When required by law;
- When first responders may be at risk for an infection; and
- When disclosure is necessary to prevent or lessen a serious and imminent threat.
The guidance clarifies the regulatory permissions that covered entities may use to disclose minimum necessary PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance may be found here.
April 2, 2020: On April 2, 2020, OCR announced that, effective immediately, it would not impose penalties against healthcare providers and their business associates for violations of certain provisions of the HIPAA Privacy Rule with regard to good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. This enforcement discretion is designed to support federal public health authorities and health oversight agencies (such as the CDC and CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data. The HIPAA Privacy Rule already permits covered entities to provide this data, and this announcement now permits business associates to also share this data without risk of a HIPAA penalty, regardless of the terms of the applicable Business Associate Agreement. The business associate is required to notify the covered entity of the disclosure within ten (10) days. This Notification of Enforcement Discretion may be found here.
April 9, 2020: On April 9, 2020, OCR announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with good faith participation in the operation of COVID-19 Community Based-Testing Site ("CBTS") during the nationwide public health emergency. This notification was issued to support certain covered health care providers that may choose to participate in the operation of a CBTS, which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public. OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI, including the following:
- Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
- Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
- Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. A six foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.
- Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
- Using secure technology at a CBTS to record and transmit electronic PHI.
- Posting a Notice of Privacy Practices ("NPP"), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.
Although covered health care providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for violations of the HIPAA Rules that occur in connection with the good faith operation of a CBTS. This discretion does not apply to covered health care providers or their business associates when such entities are performing non-CBTS related activities. This exercise of enforcement discretion is retroactive to March 13, 2020. The notification may be found here.