Following the outbreak of COVID-19 in late 2019, the U.S Department of Health and Human Services' ("HHS") Office for Civil Rights ("OCR") has offered guidance to covered entities and business associates regulated by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") Privacy, Security, and Breach Notification Rules (the "HIPAA Rules"). Such guidance has been offered to assist covered entities and business associates when dealing with patients' protected health information ("PHI") during the public health emergency. We provide an overview of the following three notices issued by OCR from February-March 2020: (1) the HIPAA Limited Waiver Under Section 1135, (2) the Notification of Enforcement Discretion for Telehealth Remote Communications, and (3) the General OCR Bulletin on HIPAA.
HIPAA Limited Waiver Under Section 1135
On March 13, 2020, OCR issued its Waiver or Modification of Requirements under Section 1135 of the Social Security Act. Notably, the HIPAA Rules are not waived in their entirety. Rather, the waiver under Section 1135 is limited to the following requirements:
- Obtaining a patient's agreement to speak with family members or friends involved in the patient's care (see 45 C.F.R. § 164.510(b));
- Honoring a request to opt out of the facility directory (see 45 C.F.R. § 164.510(a));
- Distributing a notice of privacy practices (see 45 C.F.R. § 164.520);
- Honoring the patient's right to request privacy restrictions (see 45 C.F.R. § 164.522(a)); and
- Honoring the patient's right to request confidential information (see 45 C.F.R. § 164.522(b)).
The waiver became effective on March 15, 2020, where a retroactive date of March 1, 2020 applies to the waiver of the requirements. The waiver only applies in emergency areas identified in the public health emergency declaration, to hospitals that have instituted a disaster protocol, and up to seventy-two hours after the institution of the disaster protocol. All other requirements under the HIPAA Rules, such as breach notification requirements and implementing reasonable safeguards to protect patient information from impermissible uses and/or disclosures, remain in full force and effect.
Notification of Enforcement Discretion for Telehealth Remote Communications
On March 17, 2020, OCR issued its Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. Importantly, OCR makes clear that to the extent possible, HIPAA-covered health care providers must enter into agreements with vendors that are HIPAA compliant and will enter into HIPAA business associate agreements ("BAAs") in connection with providing their telehealth products.
First, the notice is applicable only to health care providers. In terms of OCR's notice of enforcement discretion during the COVID-19 public health emergency, if a covered health care provider does not enter into a BAA with a video communication vendor or is otherwise noncompliant with the HIPAA Rules based on "the good faith provision of telehealth services" during the COVID-19 emergency, OCR will not impose penalties against those providers for not entering into a BAA. While OCR notes that public-facing video communications applications should not be used by providers in their provision of telehealth, given the unsecure nature of such applications, the notice remains silent regarding other specific provisions of the HIPAA Rules that are subject to the enforcement discretion in these circumstances. Further, there are still legal risks associated with unsecure telehealth applications that may result in other potential violations. In its notice, OCR also encourages providers "to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications."
General OCR Bulletin on HIPAA
In February 2020, OCR issued the Bulletin on HIPAA Privacy and Novel Coronavirus. The bulletin outlines actions that HIPAA-covered entities can, and arguably, should take, and those that they cannot take with respect to PHI during the COVID-19 public health emergency. It is important to note that the requirements under the HIPAA Rules apply differently to HIPAA business associates.
In terms of actions that providers can take during the COVID-19 public health emergency, OCR advises the following:
- Treatment: Covered entities may disclose PHI about a patient, without a patient's authorization, "as necessary to treat the patient" or a different patient (see 45 C.F.R. §§ 164.501, 164.502, and 164.506, et seq.).
- Public Health Activities: Covered entities may disclose PHI without individual authorization to a public health authority (such as the CDC or a state/local health department) authorized to collect such information for the purpose of controlling the virus; at the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority; and to "persons at risk of contracting or spreading" the virus (see 45 C.F.R. §§ 164.501 and 164.512, et seq.).
- Disclosures to Family, Friends, and Others Involved in an Individual's Care and for Notification: Covered entities may share PHI with a patient's family, friends, or other persons involved in the patient's care. "A covered entity may also share information about a patient" to identify, locate, and notify such individuals (see 45 C.F.R. § 164.510, et seq.).
- Disclosures to Prevent a Serious and Imminent Threat: Covered entities may share PHI "with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public[,]" which must be consistent with applicable law "and the provider's standards of ethical conduct" (see 45 C.F.R. § 164.512, et seq.).
In terms of actions that providers cannot take during the COVID-19 public health emergency, OCR advises the following:
- Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification: Covered entities may share PHI of patients in very limited circumstances to the media or the public at large, and generally must have a HIPAA-compliant authorization signed by the subject of the PHI to do so (see (see 45 C.F.R. §§ 164.508 and 164.510, et seq.).
This is a particularly challenging issue for covered entities to address in practice and they, and their workforce members, should be particularly sensitive to these requirements during a public health emergency. The following list includes examples of where OCR enforced the above requirement regarding disclosures to the media and other sources not involved in the patient's care:
- Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients' Protected Health Information (Oct. 2, 2019), where OCR determined that the dental practice impermissibly disclosed a patient's PHI in its response to a social media review by the patient on Yelp;
- Allergy Practice pays $125,000 to settle doctor's disclosure of patient information to a reporter (Nov. 26, 2018), where OCR determined that a doctor of the allergy practice impermissibly disclosed a patient's PHI to a reporter in response to the patient's compliant about the doctor;
- Texas health system settles potential HIPAA violations for disclosing patient information (May 10, 2017), where OCR determined that the health system impermissibly "published a press release concerning" an incident involving a patient providing fraudulent identification to office staff, where the health system disclosed the patient's PHI by including the patient's name in the title of the press release, and where the health system failed to timely document the workforce member sanctioning for disclosing the information;
- Unauthorized Filming for "NY Med" Results in $2.2 Million Settlement with New York Presbyterian Hospital (Apr. 21, 2016), where OCR determined that the hospital allowed "the egregious disclosure of two patients' PHI to film crews and staff during the filming of "NY Med," an ABC television series, without first obtaining authorization from the patients;"
- Physical therapy provider settles violations that it impermissibly disclosed patient information (Feb. 16, 2016), where OCR determined that the physical therapy practice "impermissibly disclosed numerous individuals' PHI [...] when it posted patient testimonials, including full names and full face photographic images, to its website without obtaining valid, HIPAA-compliant authorizations;" and
- Shasta Regional Medical Center Settles HIPAA Privacy Case for $275,000 (June 13, 2013), where OCR determined from a Los Angeles Times article that two senior leaders of the medical center "had met with media to discuss medical services provided to a patient."
As COVID-19 developments continue, OCR will continue to issue guidance on the issues that arise for HIPAA-covered entities and business associates. Should you have any questions regarding any guidance issued by OCR, please consult with the attorneys of Polsinelli PC for further assistance in determining your company's legal obligations under the HIPAA Rules during these challenging times.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
