Since the outbreak of COVID-19, the Department of Health and Human Services Office for Civil Rights (OCR) has issued various guidance documents on compliance with the Health Insurance Portability and Accountability Act of 1996 and its regulations. The topics include OCR’s discretion in enforcing HIPAA with respect to telehealth services, waiving hospital compliance with the HIPAA Privacy Rule in limited circumstances, and Privacy Rule compliance in the absence of specific waiver. The OCR guidance, discussed below, confirms that HIPAA still applies during the pandemic but compliance may be relaxed in certain situations to allow healthcare providers to respond effectively to the current public health emergency.

  1. OCR Enforcement Discretion Regarding Telehealth

On Feb. 3, 2020, HHS released a guidance bulletin reminding all covered entities and their business associates that the requirements of HIPAA still apply during a national public health emergency, such as the COVID-19 pandemic. The Feb. 3 guidance and specific compliance matters are discussed in more detail below. However, on March 17, 2020, OCR issued a notification that it will exercise its enforcement discretion specifically with respect to telehealth services during the COVID-19 public health emergency. OCR followed the notification with an FAQ. In the notice, OCR recognized that some of the remote communication technologies that providers use to connect with patients to provide telehealth services may not be fully compliant with HIPAA. OCR stated, however, that it will exercise enforcement discretion by not imposing any penalties for noncompliance with regulatory requirements under HIPAA in connection with the good-faith provision of telehealth during the COVID-19 nationwide public health emergency.

OCR clarified that it would consider facts and circumstances of each individual case when considering whether a health care provider used good faith in connection with providing telehealth services. OCR provided examples of what would be considered “bad faith,” including further uses of protected health information (PHI) transmitted through telehealth such as sale of the data; violations of state licensing laws or standards that result in disciplinary action related to the treatment offered or provided via telehealth; and the use of public-facing remote communication products discussed below. OCR’s enforcement discretion extends to all provisions of HIPAA applicable to telehealth including the Privacy, Security and Breach Notification Rules. OCR also clarified that the enforcement discretion applies to all telehealth services rendered during this time, regardless of whether such telehealth services are specifically related to the diagnosis and treatment of COVID-19.

OCR explained that, despite its exercise of enforcement discretion, providers who furnish telehealth services must use nonpublic-facing audio and video telecommunication technologies with patients, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype. Providers should not use public-facing telecommunication technologies — such as Facebook Live, Twitch or TikTok — to communicate with patients, as communications on these social media platforms are not private and shared widely. OCR encouraged all telehealth providers to continue using the most secure technology available and to enter into proper business associate agreements with technology vendors whenever possible. However, consistent with its exercise of enforcement discretion, OCR emphasized that it will not impose penalties against covered healthcare providers for the lack of a business associate agreement with video communication vendors. OCR recommended that providers notify patients that any unapproved third-party applications potentially introduce privacy risks, and suggested that providers enable all available encryption and privacy modes when using such applications. More information about the OCR’s guidance on remote communications for telehealth services can be found here and here.

  1. HHS Privacy Rule Waiver for Hospitals in Disaster Protocol

In addition to relaxing HIPAA enforcement for telehealth services, HHS Secretary Alex Azar issued a waiver of certain provisions of the HIPAA Privacy Rule under his authority granted by the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act, effective March 15, 2020. Azar waived sanctions and penalties against covered hospitals that do not comply with the following requirements of the Privacy Rule: (1) obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care; (2) honoring a request to opt out of the facility directory; (3) distributing a notice of privacy practices; (4) honoring the patient’s right to request privacy restrictions; and (5) honoring the patient’s right to request confidential communications. This waiver only applies to hospitals that have instituted a disaster protocol, and only in the emergency area identified in the public health emergency declaration, i.e., treatment of patients for COVID-19. Further, the waiver only applies for up to 72 hours from the time the hospital implements its disaster protocol. Except as specifically waived and under these strict limitations, the requirements of the Privacy Rule continue to apply.

  1. HHS Privacy Rule Emergency Provisions Guidance Bulletin

On Feb. 3, 2020, HHS released a guidance bulletin reminding all covered entity healthcare providers and their business associates that the HIPAA Privacy Rule still applies during a national health emergency, such as the COVID-19 pandemic, and how PHI can permissibly be disclosed during this time. While this guidance was released before the rapid spread of the COVID-19 pandemic in the United States, the guidance is still applicable to the extent it has not been specifically superseded by the subsequent issuances discussed above. While the waiver discussed above waives certain Privacy Rule provisions for hospitals in limited circumstances, it does not suspend the Privacy Rule. The guidance addresses a few particularly relevant provisions of the Privacy Rule that covered entities and business associates should remember during this time:

  1. Treatment of Patients. Covered entities may disclose, without a patient’s authorization, PHI about the patient necessary to treat the patient or to treat a different patient. This includes the coordination of health care and related services by one or more providers and others and the referral of patients for treatment. For example, if a hospital is running out of beds for COVID-19 infected patients, the hospital is still able to share PHI with another provider to transition care before the patient is fully under the care of the new provider.
  2. Public Health Activities. The Privacy Rule allows covered entities to disclose necessary PHI without individual authorization for public health activities. This includes disclosures to a public health authority authorized by law to receive such information for the purpose of preventing or controlling disease. For example, a covered entity may disclose PHI to a state health department or the Centers for Diseases Control and Prevention (CDC) so that such public health authorities are able to fulfill their duties in managing the pandemic. Covered entities may also disclose PHI to a foreign government agency, but only in collaboration with a domestic, legally authorized public health authority. Further, if allowed by another law, typically state law, covered entities may also disclose PHI to notify persons at risk of contracting or spreading the disease. For example, if state law allows, a covered entity may notify those who have come into direct contact with a patient of the covered entity who has tested positive for COVID-19 to attempt to prevent further spread of the virus.
  3. Disclosures to Family, Friends and Others Involved in Care. A covered entity may disclose PHI to a patient’s family members, relatives, friends or other persons identified by the patient as involved in the patient’s care. Covered entities may also share PHI as necessary to locate or notify those responsible for the patient’s care of the patient’s location and condition. This may include, where necessary, disclosures to family, the police, the press or the general public. In such a case, the covered entity should attempt to obtain verbal authorization from patients when possible; however, when the individual is unable to communicate, covered entities may share information for the purposes described above if, in the healthcare professional’s judgment, doing so would be in the best interest of the patient. For example, a provider may determine that it is in the best interest of an elderly patient to share information with the patient’s adult child about current treatment, but generally could not share unrelated information about the patient’s medical history without the patient’s authorization. A covered entity may also share PHI with a disaster relief organization, such as the American Red Cross, to the extent necessary to allow such relief organizations to respond to a legitimate emergency. OCR considers these to be broad exceptions, relying on healthcare providers to use their best professional judgment.
  4. Disclosures to the Media or Others. Generally, except in the limited circumstances described above, reporting to the media or general public about an identifiable patient, such as specific tests, results or details of illness is not allowed under HIPAA without the patient’s written authorization. Since the outbreak of COVID-19, the best practice for handling information related to an infected patient is to notify a public health authority as discussed above. Legitimate public health authorities are typically in the best position to determine what information should be disseminated and to whom to control the pandemic.
  5. Minimum A covered entity is always under an obligation to limit any PHI disclosed to the “minimum necessary” information for the purpose of the disclosure. Covered entities may rely on representations from a public health authority when determining if the information requested by such public health authority is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. In practice, given the speed with which the COVID-19 pandemic is spreading, it is likely reasonable to rely on the requests of legitimate public health authorities.
  6. Business Associates. Business associates may make disclosures of PHI only as permitted by the Privacy Rule (such as to a public health authority) on behalf of covered entity and to the extent authorized by the business associate agreement between the parties. Although HIPAA applies only to covered entities and their business associates, and does not apply to other persons or entities, other state and federal privacy laws may apply.

Please contact the authors for additional guidance on how these issuances and other COVID-19 considerations will affect the delivery of patient care and the related rules. McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial coronavirus-related business and legal issues.