Department of Health and Human Services: COVID-19’s Impact on HIPAA Requirements

Covered entities struggle with the intricacies of HIPAA every day; however, dealing with the intricacies of HIPAA in the midst of a widespread pandemic like COVID-19 is uncharted territory. The United States Department of Health and Human Services (“HHS”) has made a series of announcements and provided guidance for covered entities on a number of points. HIPAA contains existing provisions, which allow for certain information to be shared for treatment purposes and in public health emergencies.

OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

HHS announced on March 17, 2020 that effective immediately, the HHS Office for Civil Rights (“OCR”) will exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.[i] This announcement will expand Americans' access to telehealth services during the COVID-19 outbreak. More detailed guidance from HHS on the telehealth announcement can be found at the following: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency

Effective March 15, 2020, in response to the declaration of a nationwide emergency concerning COVID-19 and Secretary of HHS Alex M. Azar’s earlier declaration of a public health emergency, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule (the “Waiver”)[ii]:

• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient's right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol. The Waiver goes on to describe the provisions within HIPAA that allow for certain patient information to be shared, as originally detailed within the “HIPAA Privacy and Novel Coronavirus” Bulletin released by HHS on February 3, 2020.

HIPAA Privacy and Novel Coronavirus

On February 3, 2020 HHS released a bulletin titled “HIPAA Privacy and Novel Coronavirus” (the “Bulletin”).[iii] The Bulletin describes how patient information can be shared in emergency situations and during a national health crisis, while reminding covered entities and business associates that HIPAA’s privacy protections remain in effect. HIPAA contains existing provisions that allow for information to be shared for treatment purposes and in public health emergencies. The Bulletin should be read in its entirety before an entity makes a decision regarding the disclosure of patient information.

The Bulletin outlines the permitted uses and disclosures of certain protected health information (“PHI”) in emergencies, when specific circumstances are met, such as the following:

• to provide treatment,
• for public health activities,
• to family, friends, and others involved in an individual’s care and for notification,
• to prevent or lessen a serious and imminent threat

Disclosure of PHI to the media or others not involved in the care of the individual is more nuanced and requires a thorough analysis. Typically, PHI may not be disclosed in this scenario without written authorization of the individual or when another HIPAA exemption applies.

For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.

For additional information, please contact Taryn Stone, Rachel Spiker or Mason Clark.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.