March 19, 2020
The Department of Health and Human Services (HHS) has issued two significant notices impacting standards under HIPAA in ongoing efforts to address the COVID-19 pandemic. The first issuance provides for a brief waiver of certain HIPAA privacy requirements, and in the second issuance, the Office for Civil Rights (OCR) indicates it will not impose penalties for noncompliance with certain HIPAA standards relating to telehealth.
Waiver of HIPAA Privacy Regulations
HHS will waive sanctions and penalties for hospitals for a period of up to 72 hours after the hospital has implemented its disaster protocol. The waiver applies to sanctions and penalties that might otherwise apply relating to the HIPAA privacy requirements for (1) obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care; (2) honoring patient’s request to opt-out of a facility directory; (3) distributing a notice of privacy practices; (4) a patient’s right to request privacy restrictions; and (5) patients’ rights to request confidential communications. These waivers apply retroactively to March 1, 2020, but are limited in effect to no more than 72 hours from the hospital’s implementation of a disaster protocol. As drafted, following this brief waiver period, hospitals will again be required to comply with the relevant standards, even for patients admitted during the waiver period. Further, HHS has been clear to indicate that other HIPAA privacy standards continue to apply and has issued reminders that healthcare providers must continue to comply with restrictions on disclosures to the media and other similar restrictions under HIPAA.
HIPAA and Telehealth
The Office for Civil Rights has also issued telehealth guidance that may be helpful to providers while the COVID-19 national emergency declaration remains in place. Specifically, OCR has indicated it will exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA standards in connection with a good faith provision of telehealth using “nonpublic facing audio or video communication products during the COVID-19 nationwide public health emergency.” Significantly, this waiver of penalties applies whether the telehealth service involved relates to the diagnosis and treatment of health conditions related to COVID-19 or other medical conditions.
Although OCR does not endorse any particular products, OCR has indicated that the notification will allow covered healthcare providers to use Apple FaceTime, Facebook Messenger, Google Hangouts Video and Skype. Facebook Live, Twitch, TikTok and similar “public facing” video communications applications should not be relied upon under the new notification. OCR also encourages providers to inform patients that the applications may introduce privacy risks, and providers are reminded to enable all available encryption and privacy modes when using the permitted applications. Unlike the waiver provisions noted above, which are primarily focused on the HIPAA privacy standards, the special protection relating to telehealth applies to all covered healthcare providers and not just to hospitals, and are drafted to apply during the full period of the COVID-19 national emergency declaration.
Hancock Daniel’s HIPAA / Privacy & Security team is prepared to assist with any issues or questions related to the coronavirus and the matters described above. Our COVID-19 Taskforce will advise and assist providers on all concerns arising from the pandemic.
Click here for a full PDF of this advisory.
The information contained in this advisory is for general educational purposes only. It is presented with the understanding that neither the author nor Hancock, Daniel & Johnson, P.C., is offering any legal or other professional services. Since the law in many areas is complex and can change rapidly, this information may not apply to a given factual situation and can become outdated. Individuals desiring legal advice should consult legal counsel for up-to-date and fact-specific advice. Under no circumstances will the author or Hancock, Daniel & Johnson, P.C. be liable for any direct, indirect, or consequential damages resulting from the use of this material.