111 East Wacker Drive, Suite 500, Chicago, Illinois 60601

HIPAA Rules and Disclosures During the COVID-19 Public Health Emergency

By Amanda J. Walsh

A. OCR’s Notification of Enforcement Discretion of HIPAA Rules with Respect to Telehealth

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules). OCR at HHS recently announced unprecedented HIPPA flexibilities in response to the COVID-19 emergency. Just last month, OCR at HHS announced that it will exercise its enforcement discretion and will waive potential penalties for HIPAA violations against healthcare providers that serve patients through remote communications technologies during the COVID-19 nationwide public health emergency.

This exercise of discretion applies to widely available communications apps, such as FaceTime or Skype, when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19. This Notification of Enforcement Discretion does not have an expiration date; rather, OCR will issue a notice to public when it is no longer exercising its enforcement discretion. Roger Severino, OCR Director, explained:

We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.

During the COVID-19 national emergency, covered healthcare providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. Accordingly, a healthcare provider may use a video chat application to examine a patient who exhibits COVID-19 symptoms or may examine a patient for any medical condition such as a sprained ankle, dental consultation, psychological evaluation, or other non-virus related medical conditions.

Some of these remote communication technologies may not fully comply with the requirements of the HIPAA Rules. Under OCR’s Notification of Enforcement Discretion, OCR will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the “good faith” provision of telehealth during the COVID-19 nationwide public health emergency. However, the OCR is clear that a healthcare provide may only use non-public facing remote communication technologies to communicate with patients. Non-public remote facing technologies include:

– Apple FaceTime

– Facebook Messenger video chat

– Google Hangouts video

– Zoom

– Skype

OCR also encourages healthcare providers to notify patients that these third-party applications potentially could introduce privacy risks. OCR also requires providers to enable all available encryption and privacy modes when using these third-party applications. Under OCR’s Notification of Enforcement Discretion, a covered healthcare provider may not use public facing applications, such as:

– Facebook Live

– Twitch

– TikTik

Although not required, a covered healthcare provider may seek additional privacy protections for telehealth while using video communication products. OCR recommends that these services should be provided through technology vendors that are HIPAA compliant and will enter into HIPAA Business Associate Agreements (“BAA”) in connection with the provision of their video communication products. According OCR, the list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:

– Skype for Business / Microsoft Teams

– Updox

– Vsee

– Zoom for Healthcare

– Doxy.me

– Google G Suite Hangouts Meet

– Cisco Webex Meetings / Webex Teams

– Amazon Chime

– GoToMeeting

– Spruce Health Care Messenger

As noted above, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules, so long as it relates to the good faith provision of telehealth services during the COVID-19 public health emergency.

B. Disclosure of Patient Protected Health Information During the COVID-19 Public Health Emergency

On April 2, 2020, OCR at HHS announced, effective immediately, that it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against healthcare providers or their business associates for the “good faith” uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency. HHS Secretary, Alex M. Azar, has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

– the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).

– the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).

– the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.

– the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).

– the patient’s right to request confidential communications. See 45 CFR 164.522(b).

Even without a waiver, the HIPPA Privacy Rule, allows covered entities to disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501. For example, a skilled nursing facility may disclose PHI about an individual resident who has COVID-19 to emergency medical transport personnel who will transport that resident to a hospital. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(2).

The Privacy Rule also recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:

– To a public health authority, such as the CDC or a state or local health department. See 45 CFR §§ 164.501 and 164.512(b)(1)(i).

– At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR 164.512(b)(1)(i).

– To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv).

A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.” This may include, where necessary, to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b). The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible. If the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest. For patients who are unconscious or incapacitated, a healthcare provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

A covered health care provider may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j). Accordingly, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. See 45 CFR 164.512(j). However, in general, reporting to the media or the public at large about an identifiable patient or disclosure of specific information of identifiable patient such as test results or the patient’s illness, may not be done without the patient’s or the patient’s healthcare power of attorney’s written permission. See 45 CFR 164.508.

Although there have been unprecedented HIPPA flexibilities in response to the COVID-19 emergency, the best practice is for Providers to do what they can to abide by the HIPAA Privacy Rule and not rely on these relaxed rules. When disclosing PHI, a Provider must make reasonable efforts to limit the information disclosed to the minimum necessary to accomplish that specific purpose. Even in emergency situations, Providers are still required to implement safeguards to protect patient information against both intentional and unintentional impermissible uses and disclosures.

_____________________________________

i. OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, available at https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-enforcement-discretion-for-telehealth-remote-communications-during-the-covid-19.html
ii. Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, available at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
iii. OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency, available at https://www.hhs.gov/about/news/2020/04/02/ocr-announces-notification-of-enforcement-discretion.html
iv. March 2020, COVID-19 & HIPAA Bulletin Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency, available at https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
v. COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities, available at https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf
vi. February 2020 Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPPA Privacy and Novel Coronavirus, available at https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
vii. March 2020, COVID-19 & HIPAA Bulletin Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency, available at https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf