The events unfolding with respect to COVID-19 are unprecedented. There is a lot going on, and for those out there on the front lines of health care – like my husband who is an ER doc – I know that your first priority is helping patients and ensuring everyone around you is safe and healthy.
However, I want to make sure that health care organizations and providers are aware that the federal government has taken action to temporarily “relax” certain provisions of HIPAA in order to help providers better-deliver patient care during this challenging time. Specifically, over the last several weeks, the Office of Civil Rights (OCR) has taken the following action with respect to COVID-19 and HIPAA:
HIPAA Relaxed for Telehealth & Videoconferencing.
On March 17, 2020, OCR decided to relax its HIPAA enforcement in connection with “good faith” use of telehealth and remote communication (i.e., videoconferencing) applications when they are needed for a provider to interface with patients. OCR acknowledged that certain technologies may not fully comply with the requirements of the HIPAA rules. Nevertheless, any health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR expressly states that providers may use popular applications like: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. However, public-facing applications such as Facebook Live, Twitch, TikTok and other similar applications should NOT be used.
This enforcement discretion went into effect March 17, 2020 and will last for the duration of the public health emergency. OCR’s Notification of Enforcement Discretion for telehealth is laid out in further detail here: www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
On March 20, OCR published additional guidance on the use of telehealth remote communications in the form of FAQs, which can be reviewed here: www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf
Limited HIPAA Waiver for Hospitals initiating Disaster Protocols.
Effective March 15, 2020, HHS Secretary Azar exercised his authority to waive sanctions and penalties against any Covered Entity hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
- the requirement to honor a request to Opt-out of the facility directory;
- the requirement to distribute a Notice of Privacy Practices;
- the patient’s right to request privacy restrictions; and
- the patient’s right to request confidential communications.
This Limited HIPAA Waiver applies only to the following:
- In the emergency area identified in the public health emergency declaration (i.e., the COVID -19 outbreak);
- Hospitals that have instituted a disaster protocol; and
- For up to 72 hours from the time the hospital implements its disaster protocol.
A copy of HHS’s Bulletin laying out the details of this Limited HIPAA Waiver can be found here: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
However, health care providers and organizations must also understand that HIPAA Privacy Rule is NOT entirely suspended during a public health or other emergency. The HHS Bulletin also reminds us that disclosures of any patient identifier to the MEDIA or other THIRD-PARTY individuals who are not directly involved in the Patient’s care are NOT permitted without the prior HIPAA Authorization of the patient or the patient’s Personal Representative (i.e., Guardian, DPOA-Health Care etc.). This includes even a confirmation or denial of the patient’s positive status for COVID-19. That said, there are certain such disclosures could be permissible if an exception under HIPAA applies to a particular situation (i.e., preventing serious and imminent threat to health) – AND all of the specific criteria of that HIPAA exception are met.
HIPAA Exceptions Permitting Disclosures.
Finally, in February 2020 OCR published a Bulletin summarizing the provisions of HIPAA which already support sharing of information in the context of the COVID-19 pandemic. These include uses and disclosures of patients’ Protected Health Information:
- For Treatment purposes;
- To a Public Health Authority or at the direction of a Public Health Authority for Public Health Activities;
- To Family, Friends and Others directly involved in the Individual’s care and for certain notification purposes
- Disclosures to Prevent a Serious and Imminent Threat to the health and safety of a person or the public (45 CFR 164.512(j);
In the near future, I will be conducting a Webinar to provide additional guidance on these topics, so if you are not subscribed to our blog make sure to do so in order to not miss any future notifications. In the meantime, Be Well!