Over the past several months, the Office for Civil Rights ("OCR"), the entity responsible for compliance with and enforcement of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations ("HIPAA"), has issued several notices (and hosted a few webinars/conference calls) regarding HIPAA enforcement in light of the current COVID-19 pandemic. Like many federal regulatory agencies, OCR recognizes the need to relax some of the regulatory burdens during the national pandemic, allowing providers to focus its resources on patient care, as opposed to administrative hurdles. While OCR has been careful to emphasize that the HIPAA requirements remain in effect (and are not suspended) during a national state of emergency, OCR has also stated that certain violations of HIPAA during this time will not subject the entity to enforcement actions, thereby offering a little bit of breathing room. This article will summarize a few of the recent notices from OCR, which as of the writing of this article, remain in effect.
Telehealth: OCR relaxed its enforcement actions with regard to compliance with certain aspects of the HIPAA Rules in order to allow providers to better treat their patients via telehealth. A health care provider that engages in the good faith provision of telehealth will not be penalized for violations of any of the HIPAA Rules, including the breach notification requirements, as a result of such actions. Thus, providers who want to use audio or video communication technology to provide telehealth to patients during the public health emergency can use any non-public facing remote audio or video communication product that is available to communicate with patients, regardless of the security safeguards in place. This exercise of discretion applies to telehealth provided for any reason; thus, such does not have to be related to the diagnosis and treatment of COVID-19 health conditions. Pursuant to this notice, health care providers may use applications that allow for non-public facing video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without the risk that OCR might impose a penalty for noncompliance with the HIPAA Rules. OCR further stated that it would not impose penalties against health care providers for the lack of a Business Associate Agreement with such communication vendors. While this addresses the federal privacy and security issues, providers will still want to ensure that such forms of communication are reimbursable as telehealth services by its payors and comply with applicable state law.
First Responders: OCR issued guidance designed to help first responders and others receive protected health information ("PHI") regarding patients infected with or exposed to COVID-19. The guidance clarifies the regulatory provisions that covered entities may use to disclose minimum necessary PHI, such as name or other identifying information, to law enforcement, paramedics, and other first responders so that they can take extra precautions or use personal protective equipment. These situations include when necessary to provide treatment, when required by law, to notify a public health authority, when responders may be at risk of infection, and to prevent or lessen a serious and imminent threat to health and safety. For example, a hospital can disclose a list of patients who have tested positive for COVID-19 to a 911 call center, who, in turn, can screen the list when responding to emergency calls to ensure that the responders take the necessary precautions. OCR warns, however, that such a list could not be posted publically.
Business Associates: OCR announced that it would not impose penalties against healthcare providers and their business associates for violations of certain provisions of the HIPAA Privacy Rule with regard to good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. This enforcement discretion is designed to support federal public health authorities and health oversight agencies (such as the CDC and CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data and were having trouble accessing such data when in the hands of business associates. The HIPAA Privacy Rule already permits covered entities to provide this data, and this announcement now permits business associates to also share this data without risk of a HIPAA penalty, regardless of the terms of (and without the need to amend) the applicable Business Associate Agreement. However, the business associate is required to notify the covered entity of the disclosure within ten (10) days, and retain documentation of such notification.
COVID-19 Community Based-Testing Site: Most recently, OCR announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with good faith participation in the operation of COVID-19 Community Based-Testing Site ("CBTS") during the nationwide public health emergency. This notification was issued to support certain covered health care providers that may choose to participate in the operation of a CBTS, which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals' PHI. For example, OCR recommends that CBTS set up canopies or similar barriers to provide some privacy to individuals during the collection process and control foot and car traffic to create adequate distancing (e.g., 6 feet) to minimize the ability of persons to see or overhear screening interactions. Although covered health care providers and business associates are encouraged to implement these reasonable safeguards at a CBTS, OCR will not impose penalties for violations of the HIPAA Rules that occur in connection with the good faith operation of a CBTS.
Kelli Fleming is a partner at Burr & Forman LLP practicing exclusively in the firm's health care industry group.