Important information on the 2019 Novel Coronavirus and HIPAA compliance, the limited HIPAA waiver announced by the HSS, and potential violations of HIPAA Rules in relation to telecommunications platforms and the use of telehealth services in a public health emergency.
The 2019 Novel Coronavirus Pandemic
On January 31, 2020, the 2019 Novel Coronavirus (SARS-CoV-2) outbreak was declared a public health emergency for the United States by the Secretary of the Department of Health and Human Services, Alex Azar. On March 16, 2020, more than 4,000 cases of COVID-19 – the disease caused by SARS-CoV-2 – have been confirmed in the United States and there have been 75 deaths. Those figures will increase by many orders of magnitude in the coming weeks and months.
Dealing with a major outbreak of a highly infectious disease with a high mortality rate creates many challenges for healthcare organizations, including how to remain compliant with HIPAA. During a public health emergency, HIPAA Rules still apply. Compliance with the HIPAA Security Rule is essential for ensuring the confidentiality, integrity, and availability of ePHI and compliance with the HIPAA Privacy Rule is necessary to ensure the privacy of patients is protected.
HIPAA Rules are still in effect during public health emergencies, but the Secretary of the HHS may choose to waive certain sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule. The HHS’ Office for Civil Rights may also exercise enforcement discretion for noncompliance with some aspects of HIPAA Rules.
In response to the Novel Coronavirus public health emergency, the HHS Secretary issued a limited HIPAA waiver that took effect on March 15, 2020. The waiver only applies in the locations covered by the public health emergency, only for hospitals that have implemented their disaster protocol, and only for 72 hours from the time the disaster protocol is implemented. When the Presidential or Secretarial declaration of a public health emergency terminates, hospitals must comply with all requirements of the HIPAA Privacy Rule for patients still under their care, even if the 72 hours have not yet elapsed.
The limited HIPAA waiver only applies to the following HIPAA provisions:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care – See 45 CFR 164.510(b)
- The requirement to honor a request to opt out of the facility directory – See 45 CFR 164.510(a);
- The requirement to distribute a notice of privacy practices – See 45 CFR 164.520
- The patient’s right to request privacy restrictions – See 45 CFR 164.522(a)
- The patient’s right to request confidential communications. See 45 CFR 164.522(b)
Allowable Uses and Disclosures of Protected Health Information in a Public Health Emergency
Even without a limited HIPAA waiver, healthcare organizations are permitted to use and disclose patient information without first obtaining authorization from patients. The HIPAA Privacy Rule permits covered entities to use and disclose protected health information (PHI) for treatment, payment, and healthcare operations, for public health activities, and disclose information to a patient’s friends, family members, and other people involved in providing care for the patient. Disclosures are also permitted to prevent or lessen a serious or imminent threat to the health and safety of a person or the general public. In all cases, the minimum necessary standard applies. Information disclosed must be restricted to the minimum amount necessary to achieve the purpose for which the information is disclosed.
OCR’s Novel Coronavirus and HIPAA compliance bulletin explaining the allowable uses and disclosures of ePHI in emergency situations such as disease outbreaks, along with details of the limited HIPAA waiver can be viewed on this link.
Novel Coronavirus and HIPAA Compliance in Relation to Telehealth Services
To help prevent the spread of COVID-19 it is important for patients to be isolated. A range of communication technologies can be used to make contact with patients in their own homes and to provide telehealth services without exposing others to the risk of infection. These tools can also be used to make contact with a patient’s caregivers and friends and family member, or to contact people believed to have been exposed to SARS-CoV-2.
Under normal circumstances, these telehealth services may be fully compliant with HIPAA Rules, but in emergency situations it is possible that the communication tools will be used in a manner that is not completely compliant with HIPAA. Some HIPAA communications platforms could be used when they are not fully compliant, for instance, if ePHI is disclosed on Skype without a business associate agreement being in place.
The HHS’ Office for Civil Rights has announced it will use enforcement discretion if it is discovered that a HIPAA-covered entity is not in compliance with certain aspects of HIPAA Rules in relation to good faith efforts to provide telehealth services during theNovel Coronavirus public health emergency.
“OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency, “ explained OCR. “This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
According to OCR’s notice of enforcement discretion, “Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
It is important to note that the use of public-facing video communications applications such as Facebook Live or TikTok is not permitted for providing telehealth services to patients.
OCR’s notice of enforcement discretion is available here.