HHS and OCR Ease HIPAA Applicability and Enforcement to Support Healthcare Delivery During COVID-19 Public Health Emergency

As the COVID-19 pandemic is leading to social distancing to limit the spread of the disease, health care providers and patients look to remote communication technology to facilitate the provision of health care services related to COVID-19 symptoms, as well as other health care conditions.  Additionally, public health measures to limit the spread of the disease increasingly require the sharing of health information.  As a result, questions have arisen about what information sharing is permitted under HIPAA.  While HIPAA remains in effect during this time, waivers of certain enforcement provisions may allow for enhanced information sharing, and the exercise of enforcement discretion enables the use of an expanded range of telehealth communication platforms that would not generally be permissible.

Waivers and HIPAA Provisions

While the HIPAA Privacy Rule is not suspended during a national or public health emergency, Section 1135(b)(7) of the Social Security Act (SSA) allows the Secretary of the U.S. Department of Health and Human Services (HHS) to waive certain HIPAA Privacy Rules sanctions and penalties in such an event.

Secretary Azar of HHS and President Trump have declared a nationwide public health emergency under Section 319 of the Public Health Service Act and a national emergency under Sections 201 and 301 of the National Emergencies Act, respectively. President Trump’s proclamation of a national emergency, from March 13, specifically stated that the Secretary of HHS “may exercise the authority under section 1135 of the SSA to temporarily waive or modify certain requirements of the Medicare, Medicaid, and State Children’s Health Insurance programs and of the Health Insurance Portability and Accountability Act Privacy Rule throughout the duration of the public health emergency declared in response to the COVID‑19 outbreak.”

That same day, Secretary Azar of HHS issued a Section 1135 waiver of sanctions and penalties arising from noncompliance with certain provisions of the HIPAA privacy regulations for hospitals that have disaster protocols in operation. These include:

1. The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care or to honor a request to opt out of the facility directory (45 CFR § 164.510); 
2. The requirement to distribute a notice of privacy practices (45 CFR § 164.520); and
3. The patient's right to request privacy restrictions or confidential communications (45 CFR § 164.522).

The waiver has retroactive effect to March 1.

Enforcement Discretion Under HIPAA Regarding Telehealth Communications

On March 17, the HHS Office for Civil Rights (OCR) published a notice indicating that it will exercise enforcement discretion and waive potential penalties for HIPAA violations against health care providers that serve patients using certain communications technologies during the COVID-19 nationwide public health emergency.  This enforcement policy will allow health care providers to offer telehealth services to patients using widely available communications technology, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, without regard to whether the technology meets HIPAA requirements or whether the health care provider has a business associate agreement with the vendor.  OCR will not impose penalties for use of such technology during this period of time, regardless of whether the telehealth service is directly related to COVID-19.  OCR notes, however, that public facing video communications applications, such as Facebook Live, Twitch, and TikTok, should not be used in the provision of telehealth by covered health care providers.

OCR does highlight certain technology vendors that claim to offer HIPAA-compliant video communications applications.  Since the enforcement discretion will only be in place during the public health emergency, health care providers may wish to consider communication platforms that they could continue to utilize after the emergency is over.  At that time, if not sooner, the health care provider should conduct a risk assessment and mitigate any risks related to use of the new technology, as well as put into place a business associate agreement with the technology vendor.

Please contact Jodi Daniel or any member of our team as issues arise related to uses and disclosures of health information related to COVID-19 and the applicability of HIPAA.