Health Insurance Portability and Accountability (HIPAA) compliances during the COVID-19 pandemic becomes a challenge. The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is accountable for imposing rules and regulations issued under the HIPAA Act of 1996.
As per adjustments by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules).
“We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.” – Roger Severino, OCR Director.
During the COVID-19 national emergency providers and other healthcare organizations are using telehealth services, though remote communications technologies. While communicating with patients’, providers need to comply with the HIPAA Rules. Some of these remote communication technologies and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.
OCR will exercise its enforcement discretion. This will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered health care providers. Providers with provision of telehealth during the COVID-19 nationwide public health emergency may get some excuse. This notification is effective immediately.
Healthcare providers who are seeking additional privacy protections for telehealth while using video communication products can choose HIPAA compliant technology vendors. Technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs). Because they are providing their video communication products.
Section 1135 allows HHS to waive the provision of many healthcare laws and regulations during COVID-19 national emergency. This provision is subject to waiver include Medicare and Medicaid conditions of participations, sections of the Emergency Medical Treatment and Labor Act (EMTALA), sanctions under the physician’s self-referral law, and Medicare telehealth requirements.
This section 1135 also provides permission HHS to waive HIPAA provisions that relate to obtaining the patient’s agreement to speak to family members or friends, patient’s request to opt out of a facility directory, distributing a notice of privacy practices, and respecting patients’ rights to request privacy restrictions.
These waivers are applied only to hospitals in the 72-hour period after they begin implementation of their disaster protocol. The 72-hour period requirement may replicate the fact that the statute was enlisted with the expectation that hospitals would need to respond to short-term disasters like hurricanes, not months-long crises like pandemics.
Knowing that the 1135 waiver did not provide substantial HIPAA flexibilities, OCR followed with three notifications of enforcement discretion in the following weeks. Under these notifications, OCR said it would not impose penalties on an organization subject to the guidance if it complied with the terms of the guidance, even if the organization’s actions otherwise violated HIPAA.
1. Under the HIPAA privacy rule, covered entities generally should take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary rule is subject to limited exceptions; for example, disclosures made for purposes of treatment are not subject to this requirement.
2. Some states have also issued waivers of their privacy laws in light of the COVID-19 pandemic. On April 3, California Governor Gavin Newsom issued an executive order waiving certain state privacy laws to support the provision of telehealth.
3. The Substance Abuse and Mental Health Services Administration (SAMHSA) has not issued any waivers of its rules in response to the COVID-19 pandemic, but has issued guidance that emphasizes that if a provider is offering telehealth services, it is up to the provider, not SAMHSA, to determine whether the emergency exception to the Part 2 rules apply. See COVID-19 42 CFR Part 2 Guidance.
The first and theoretically most significant notification of enforcement discretion was issued on March 17, applying to telehealth providers. OCR waived all provisions of the HIPAA privacy, security, and breach announcement rules if a telehealth provider acted in good faith compliance with the guidance.
The guidance applies to providers only, not health plans. The enforcement discretion applies irrespective of whether a patient has or is suspected of having COVID-19. Thus, to facilitate social distancing, even if a provider knows that a particular patient does not have COVID-19, the provider can still use the flexibilities under the guidance to provide telehealth.
The guidance only means that OCR itself will not impose penalties against organizations if they comply with the terms of the HIPAA compliance. Providers need to guarantee that they will comply with other applicable state privacy laws to the extent they are still in effect and with the federal substance use disorder confidentiality regulations at 42 C.F.R. Part 2, if applicable.
State breach notification laws are also still in effect, so even if an organization is not required to follow HIPAA breach notification requirements, it may still have to provide breach notification in compliance with the state’s law, depending on how broadly such law applies and whether the state has waived any aspect of that law.Back