Alerts

HHS Issues Two Important Bulletins Waiving HIPAA Sanctions During the COVID-19 National Emergency

Alerts / March 18, 2020

The HHS Office for Civil Rights (OCR) issued two important bulletins this week regarding the novel coronavirus disease (COVID-19) outbreak. On Mar. 16, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule, including the requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care and the requirement to distribute a Notice of Privacy Practices to patients. Currently, the waiver applies only to those hospitals located in the emergency area identified in the public health emergency declaration that have instituted a disaster protocol, and then only for 72 hours from the time at which the disaster protocol was implemented. It is unclear if OCR will extend the time period for this waiver given the widespread and potentially prolonged nature of the COVID-19 outbreak. The bulletin also reminds providers that affirmative reporting to the media or the public about any identifiable patient may not be done without the written authorization of the patient or the patient’s personal representative. A copy of the bulletin can be found here.

On Mar. 17, OCR issued a Notification of Enforcement Discretion, which waived penalties during the COVID-19 national emergency for the good faith use of telehealth that may not comply with the HIPAA Privacy Rule requirements. In its Notice, OCR expressly permitted the use of video-chat applications on a provider’s computer or phone, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19, without risk that OCR might seek to impose a penalty for HIPAA noncompliance. However, OCR warned that Facebook Live, Twitch, TikTok and similar public-facing video communication applications should not be used in the provision of telehealth by providers. The guidance also encouraged providers to first notify patients that these third-party applications may create privacy risks, and also noted that providers should enable all available encryption and privacy modes when using these applications. Notably, OCR announced that it will not impose penalties against covered healthcare providers for the lack of a business associate agreement with such video communication vendors. A copy of the Notification can be found here.

Limited Waiver of HIPAA Sanctions and Penalties During COVID-9 National Emergency

In the first bulletin, OCR issued a limited waiver of HIPAA sanctions and penalties for noncompliance with certain provisions of the HIPAA Privacy Rule in response to the presidential declaration of a nationwide emergency due to COVID-19. While the bulletin provides that the HIPAA Privacy Rule itself is not suspended during this emergency, as of Mar. 15, OCR has waived sanctions and penalties against those hospitals located in the emergency area identified in the public health emergency declaration that have implemented a disaster protocol, for failure to comply with the following provisions of the HIPAA Privacy Rule:

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
  • The requirement to honor a request to opt out of the facility directory.
  • The requirement to distribute a Notice of Privacy Practices.
  • The patient’s right to request privacy restrictions.
  • The patient’s right to request confidential communications.

Notably, however, the bulletin provides that the waiver is currently in effect for only 72 hours from when the hospital first implemented its disaster protocol. Since these types of HIPAA waivers are typically issued during natural disasters such as hurricanes, the 72-hour time limit generally is sufficient. However, given the unique circumstances of the COVID-19 outbreak, it is possible that OCR may elect to extend the waiver, but it has not yet done so.

The bulletin also reminds providers that even without a waiver, the HIPAA Privacy Rule already gives providers wide latitude to share patient health information for a number of purposes relevant during an outbreak such as this, including for treatment, public health activities, or to lessen a serious or imminent threat to health or safety. However, the bulletin also notes that affirmative reporting to the media or the public about any identifiable patient may not be done without the written authorization of the patient or the patient’s personal representative.

Notice of Enforcement Discretion for Telehealth During COVID-19 Outbreak

On Mar. 17, OCR also issued a Notice of Enforcement Discretion, which provides that it will waive potential HIPAA penalties during the COVID-19 national emergency for good faith use of telehealth that fails to comply with the HIPAA Privacy Rule requirements. According to the guidance, a healthcare provider that wants to use audio or video communication technology connecting the provider’s or patient’s phone or desktop computer to provide telehealth to patients during the COVID-19 nationwide emergency can use any non-public-facing remote communication product that is available to communicate with patients in good faith, even if for reasons not related to COVID-19, such as a sprained ankle.

According to OCR, providers may use a variety of video-chat applications, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for HIPAA noncompliance if the use is related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. OCR also warned that Facebook Live, Twitch, TikTok and similar public-facing video communication applications should not be used in the provision of telehealth by covered healthcare providers. OCR encouraged providers to notify patients that these third-party applications may create privacy risks and recommended that providers enable all available encryption and privacy modes when using such applications.

The notice also included a list of vendors for providers to consider using for telehealth, such as Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me and Google G Suite Hangouts Meet. While OCR stated that it did not necessarily endorse the use of these vendors, it noted that it believed these vendors would enter into a business associate agreement with providers. However, OCR also announced that it will not impose penalties against covered healthcare providers for the lack of a BAA with video communication vendors. During this unprecedented national emergency, the guidance gives providers some much-needed flexibility and discretion to treat patients in good faith using their professional judgment as to the most efficient means without fear of further spreading infection and risking any penalties for HIPAA noncompliance.

Authorship Credit: Vimala Devassy

Baker & Hostetler LLP publications are intended to inform our clients and other friends of the firm about current legal developments of general interest. They should not be construed as legal advice, and readers should not act upon the information contained in these publications without professional counsel. The hiring of a lawyer is an important decision that should not be based solely upon advertisements. Before you decide, ask us to send you written information about our qualifications and experience.

Related Industries

Related Emerging Issues