HHS Office of Civil Rights Announces Guidance to Assist Providers in Navigating HIPAA During the COVID-19 Public Health Emergency

PDF
April 7, 2020
Jennifer Stuart
SmithAmundsen Health Care Alert

Authors

Subscribe

During the early weeks of the Novel Coronavirus (2019-n-CoV) outbreak, the HHS Office of Civil Rights (OCR) recognized that HIPAA-covered entities and business associates had questions about how to share needed PHI relating to COVID-19. Since that time, HHS has issued several Notices, Bulletins, and FAQs in an effort to: (1) ensure covered entities (CE) and business associates (BA) are aware of the way PHI may be shared under the HIPAA Privacy Rule in the event of an outbreak of infectious disease or other emergency situations; and (2) removing the fear of HIPAA prosecution and punishment related to PHI disclosures made by CE in their treatment of patients with COVID-19.  These announcements have helped educate CE and BA regarding the fact that although an emergency does not obviate the existence and enforcement of HIPAA’s Privacy Rule, the Department will be exercising “enforcement discretion” for certain methods of sharing PHI that otherwise may not be fully compliant with HIPAA, as long as that information is shared based on a good faith belief that use or disclosure is necessary for patient treatment or public health reasons.  

Guidance on Disclosures to First Responders and Public Health Authorities

On February 3, 2020, HHS released guidance addressing the ways that the HIPAA Privacy Rule permitted the use or disclosure of PHI in many circumstances that may arise during the COVID-19 outbreak.  This guidance confirmed that the Privacy Rule permits a CE to disclose the PHI of an individual who has been infected with or exposed to COVID-19 with law enforcement, paramedics, other first responders, and public health authorities, without the individual’s HIPAA authorization in certain circumstances.  Several example circumstances were given, including:

Notably, except when disclosure of PHI is required by law or for treatment, a CE still must make reasonable efforts to limit used or disclosed PHI to the “minimum necessary” to accomplish the disclosure’s purpose. (45 CFR 164.502(b)

Section 1135 Waivers

Section 1135 of the Social Security Act provides that when a President declares a disaster or emergency under the Stafford Act of National Emergencies Act and the HHS Secretary declares a public health emergency under Section 319 of the Public Health Service Act, the Secretary is authorized to take certain actions in addition to his or her regular authority, including issuing waivers of certain Medicare, Medicaid, and Children’s Health Insurance Program requirements. These waivers typically end no later than the termination of the emergency period, unless extended by notice for additional periods. Notably, 1135 waivers apply only to Federal requirements, and do not apply to State requirements

On January 31, 2020, the HHS Secretary declared a public health emergency under the Public Health Service Act. On March 13, 2020, President Trump declared a national emergency under the National Emergencies Act and made an emergency determination under the Stafford Act.  These actions triggered the HHS Secretary’s authority to issue waivers of certain Medicare, Medicaid, and Children’s Health Insurance Program requirements as provided by Section 1135 of the Social Security Act.  Following President Trump’s emergency declaration on March 13, CMS announced a set of waivers relating to the COVID-19 emergency.

On March 17, 2020, the HHS Office for Civil Rights (OCR) released a Notice of Enforcement Discretion applicable to all health care providers covered by HIPAA and providing telehealth services during the emergency.  Among other things, the Notice recognized that “during the COVID-19 national emergency, which also constitutes a public health emergency, covered health providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communication technologies.”  HHS further acknowledged that some telehealth technologies and the manner in which they are used may not fully comply with HIPAA. In its Notice, HHS attempted to strike a balance between ensuring the security of an individual’s PHI and an individual’s need for treatment via telehealth applications.

OCR stated it would exercise its enforcement discretion and not impose penalties for covered health care providers who, with the good faith provision of telehealth during the COVID-19 emergency, were noncompliant with the requirements of the HIPAA Rules. OCR explicitly recognized that covered health care providers may use apps for video chats, including Apple FaceTime, Facebook Messenger Video Chat, Google Hangouts video, Zoom, or Skype to provided telehealth services without risk that OCR might seek to impose penalties for noncompliance.  Providers were urged to notify patients that those kinds of third-party applications potentially introduce privacy risks, and it cautioned that providers should enable all available encryption and privacy modes when using the applications.

OCR also identified several public-facing video chat applications that should not be used in the provision of telehealth by covered health care providers, including Facebook Live, Twitch, TikTok, and similar video communication apps. Additionally, it noted that covered health care providers who seek additional privacy protections for telehealth while using services through technology vendors should do so with HIPAA-compliant vendors who will enter into Business Associate Agreements (BAA) in the provision of their video communication products.

On March 16, 2020, the HHS Secretary announced multiple waivers of sanctions and penalties for specific provisions of the HIPAA Privacy Rule during the nationwide COVID-19 public health emergency pursuant to Section 1135 of the Social Security Act. The waivers apply to the following HIPAA provisions:

The waiver specifically noted that the above waivers only apply to the Privacy Rule requirement: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

On April 2, 2020, HHS issued a Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. HHS noted that current HIPAA Privacy Rule regulations allowed a HIPAA business associate (BA) to use and disclose PHI for public health and health oversight only if expressly permitted by its BB with a HIPAA covered entity (CE).

Exercising its enforcement discretion, HHS announced that OCR would not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule against covered health providers or their BAs for uses and disclosures of PHI by BAs for public health and health oversight activities during the COVID-19 emergency. The notification states it will remain in place until the HHS Secretary declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.

OCR’s enforcement discretion comes into play only if the BA made a good faith use or disclosure of the CE’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d) and the BA informs the CE within ten (10) calendar days after the use or disclosure occurs or commences.

Examples of these types of disclosures may include PHI disclosure to the CDC (or similar State-level authority) for the purpose of controlling the spread of COVID-19, consistent with 45 CFR 164.512(b); or to CMS (or similar state-level public health authority) for purposes of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).

The Notice specified that its exercised enforcement discretion did not extend to other requirements or provisions under the Privacy Rule, or to any obligations under the HIPAA Security and Breach Notification Rules. BAs remain responsible for complying with the Security Rule’s requirements to implement safeguards and maintain the confidentiality, integrity, and availability of electronic PHI, including by ensuring secure transmission of ePHI to the public health authority or health oversight agency.