Compliance with the HIPAA Privacy, Security and Breach Notification Rules remains an obligation during the COVID-19 national emergency, but, in the interest of encouraging treatment and efficient response to this pandemic, the U.S. Department of Health and Human Services (HHS) has made two recent announcements related to the enforcement of HIPAA:
On March 17, 2020, the HHS Office for Civil Rights (OCR) announced a that it will exercise its enforcement discretion and waive potential penalties for HIPAA violations against covered health care providers that serve patients through remote communication technologies during the COVID-19 national public health emergency (the “Notification of Enforcement Discretion”). The purpose of the Notification of Enforcement Discretion is to empower health care providers to provide services to patients wherever they are during this public health emergency, and, in particular, to ensure that they can reach those most at risk, including older persons and those with disabilities. The exercise of enforcement discretion will apply regardless of whether the telehealth service is directly related to COVID-19.
In the Notification of Enforcement Discretion, OCR explains that health care providers can use any non-public facing remote audio or video communication product that is available to communicate with patients. OCR notes that this applies to widely available remote communication technologies when used in good faith for any telehealth treatment or diagnostic purpose, but public-facing communication applications should not be used for the provision of telehealth services. The Notification of Enforcement Discretion lists specific examples of non-public facing and public-facing technologies.
OCR lists vendors that represent they are compliant with HIPAA and able to enter into business associate agreements (BAAs), however, OCR makes it clear that it is not endorsing the use of any of these services. In the Notification of Enforcement Discretion, OCR confirms that it will not impose penalties against health care providers for the lack of a BAA with a communication technology provider. OCR encourages health care providers to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
OCR issued further guidance explaining how covered health care providers can use remote video communication products and offer telehealth services to patients responsibly. A summary of this guidance can be found here.
The Notification of Enforcement Discretion for Telehealth Remote Communications can be found here.
HHS announced that, in response to President Trump’s declaration of a national emergency concerning COVID-19, and HHS Secretary Alex M. Azar’s declaration of a public health emergency, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
The waiver is effective as of March 15, 2020, retroactive to March 1, 2020. The waiver only applies to hospitals that have instituted a disaster protocol and for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, hospitals must then comply immediately with all of the requirements of the Privacy Rule for any patient still under their care.
The announcement can be found here.
OCR previously issued a bulletin outlining how entities subject to HIPAA may share patient information under the HIPAA Privacy Rule and other obligations during an outbreak of infectious disease or other emergency situation COVID-19. For more information see here.