Guidance and Legislation regarding patient information protections during the COVID-19 nationwide public health emergency
(Updated: April 13, 2020)
As summarized below, the Department of Health and Human Services (HHS) and Office for Civil Rights (OCR) have issued a series of bulletins and other guidance regarding the ability to use and disclose protected health information during the nationwide public health emergency concerning COVID-19. Generally, the guidance is intended to provide greater flexibility during the emergency and to communicate existing abilities to use and disclose patient information, while confirming that the HIPAA Privacy Rule’s protections are not suspended as a whole. In addition, the Coronavirus Aid, Relief and Security (CARES) Act contains provisions related to Part 2 protections and additional HIPAA guidance.
OCR Bulletins. OCR issued a bulletin on HIPAA and the Coronavirus on February 3, 2020. In that bulletin, OCR emphasized that the HIPAA Privacy Rule continues to apply during the nationwide emergency and described the many ways in which the HIPAA Privacy Rule permits patient information to be shared without individual authorization to assist in the emergency and to provide patients with needed care. Permitted circumstances include, subject to HIPAA’s requirements, disclosures for treatment purposes, for public health activities, to family, friends and other involved in an individual’s care and for notification, and to prevent a serious and imminent threat.
On March 28, 2020, OCR issued a subsequent bulletin related to the continuing applicability of obligations under laws and regulations that prohibit discrimination on the basis of race, color, national origin, disability, age, sex, and exercise of conscience and religion in HHS-funded programs. This bulletin contains links to the OCR’s previously issued HIPAA-related guidance.
HHS Limited Waiver. On March 16, 2020, HHS issued a bulletin that stated that sanctions and penalties under HIPAA would be waived in certain limited circumstances. The waiver applies only to hospitals and only with respect to non-compliance with:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- The requirement to honor a request to opt out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
The waiver became effective on March 15, 2020. It applies in the emergency area identified in the public health emergency declaration, to hospitals that have instituted a disaster protocol and for up to 72 hours from the time the hospital implements its disaster protocol. This bulletin also contains much of the information from the February 3, 2020 OCR Bulletin related to the ability to share patient information in nationwide public health emergencies and for patient care purposes.
OCR Notification and FAQs Regarding Telehealth. In a notification issued March 17, 2020 and related FAQs issued on March 20, 2020, OCR announced that it will exercise its enforcement discretion and will not impose penalties for non-compliance with HIPAA’s requirements on covered health care providers in connection with the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. The notification states that covered health care providers may use any non-public facing remote communication product available, including popular applications that allow for video chats, such as Apple FaceTime, Facebook Messenger, Google Hangouts video, Zoom or Skype. The FAQs explain that non-public facing technologies other than applications may be used, including videoconferencing software and text messaging.[1] However, Facebook Live, Twitch, TikTok and similar video communication applications are public facing and should not be used to provide telehealth services.
The services provided by telehealth do not have to relate to diagnosis or treatment of a COVID-19 health condition, and the notification applies to all patients regardless of coverage. OCR encourages providers to notify patients that these applications may pose privacy risks and to enable all available encryption and privacy modes when using the application. Additionally, the notification specifically states that OCR will not impose penalties against covered health care providers for the lack of a business associate agreement with video communication vendors or any other non-compliance with HIPAA related to the provision of telehealth services.
The notification was effective immediately, and it will not expire until OCR issues a notice to the public that it is no longer exercising this enforcement discretion based on the latest facts and circumstances.
OCR Guidance Regarding Disclosures to First Responders and Others. On March 24, 2020, OCR issued guidance related to disclosures of information about individuals who have been infected with, or exposed to, COVID-19 to law enforcement, paramedics, other first responders and public health authorities without obtaining a HIPAA authorization from the individual in certain circumstances. These circumstances include:
- When the disclosure is needed to provide treatment.
- When such notification is required by law.
- To notify a public health authority in order to prevent or control spread of disease.
- When first responders may be at risk of infection.
- When the disclosure of protected health information to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
- When responding to requests for protected health information by a correctional institution or law enforcement official having lawful custody of an inmate or other individual.
The guidance notes that covered entities must make reasonable efforts to limit the information used or disclosed to the minimum necessary.
OCR Notification Regarding Business Associates. On April 2, 2020, OCR announced that it will exercise its enforcement discretion and will not impose potential penalties for violations of the HIPAA Privacy Rule against covered health care providers or their business associates for uses and disclosures of protected health information by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency so long as certain conditions are met. These conditions imposed are:
- The business associate must make a good faith use or disclosure of the covered entity’s protected health information for public health or health oversight activities consistent with the applicable requirements of the Privacy Rule; and
- The business associate must inform the covered entity within ten calendar days after the use or disclosure occurs (or commences, with respect to ongoing uses or disclosures).
The notification expressly states that the discretion does not extend to other requirements or prohibitions under the Privacy Rule or any obligations under the Security Rule or Breach Notification Rule that apply to business associates and covered entities, including ensuring secure transmission of electronic protected health information to public health authorities and health oversight agencies.
OCR Notification Regarding Community-Based Testing Sites (CBTS). On April 9, 2020, OCR announced that it will exercise its enforcement discretion and will not impose potential penalties for non-compliance with regulatory requirements under the HIPAA Privacy, Security and Breach Notification Rules against covered health care providers and their business associates in connection with the good faith participation and the operation of a CBTS during the COVID-19 nationwide public health emergency. For purposes of the Notification, a CBTS includes mobile, drive-through or walk-up sites that only provide COVID-19 specimen collection for testing services to the public. The operation of a CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing. OCR encourages covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of protected health information. Safeguards listed in the Notification include:
- Using only the minimum PHI necessary except for treatment-related disclosures.
- Setting up canopies or similar opaque barriers to provide some privacy to individuals during sample collection.
- Establishing a “buffer zone” to prevent members of the media or public from observing or filming individuals who approach a CBTS and posting signs prohibiting filming.
- Posting a Notice of Privacy Practices or information about how to find the Notice online, if applicable, at a place that is readily viewable by individuals who approach the CBTS.
The Notification expressly states that it does not apply to covered health care providers or their business associates when those entities are performing non-CBTS related activities and that potential HIPAA penalties still apply to all other HIPAA-covered operations, unless otherwise stated by OCR.
Patient Privacy-related Provisions in the CARES Act. The CARES Act contains two sections related to patient privacy matters. It directs the HHS Secretary to issue guidance within 180 days of enactment on the sharing of protected health information during the COVID-19 emergency. The CARES Act also makes changes to the Federal law and regulations that provide specific protections to records relating to the identity, diagnosis, prognosis or treatment of any patient in a federally-assisted substance use disorder program. These changes include loosening certain restrictions on patient consent to disclosures and redisclosures and revisions designed to make the requirements for uses and disclosures more similar to the requirements applicable to protected health information under HIPAA. The CARES Act further directs the HHS Secretary to revise existing regulations as necessary to implement and enforce these amendments made by the CARES Act and provides that such amendments will apply to uses and disclosures of information one year after the enactment of the CARES Act.
Additional Resources:
February 3, 2020 OCR Bulletin re HIPAA Privacy and Novel Coronavirus: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
March 16, 2020 COVID-19 & HIPAA Bulletin re Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
March 17, 2020 Notice of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
April 9, 2020 Notice of Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency: https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf
OCR FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency: https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf
March 24, 2020 OCR guidance re COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities: https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.
March 28, 2020 OCR Bulletin re Civil Rights, HIPAA, and the Coronavirus (COVID-19): https://www.hhs.gov/sites/default/files/ocr-bulletin-3-28-20.pdf
April 2, 2020 OCR Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19: https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf
CARES Act text: https://www.congress.gov/bill/116th-congress/house-bill/748/text
The foregoing is for your information only, is current as of April 2, 2020 and is not intended to constitute legal advice concerning any fact situation.
Please contact either Carol Ewald Bowen at carolbowen@mvalaw.com or 704-331-2462, Kimberly Short Kirk at kimberlykirk@mvalaw.com or 704-331-3524 or any other member of the MVA Health Care Team with any questions you may have about health care issues presented by the COVID-19 pandemic or for assistance in determining the application of any particular waivers, rules or guidance to your operations.
[1] The FAQs note that for reimbursement purposes, certain payors, including Medicare and Medicaid, may impose requirements on the types of technologies that be used. A fact sheet regarding Medicare payment and coverage is available at: https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet. Additional guidance was issued regarding telehealth was issued on March 30, 2020 as summarized in the fact sheet available at: https://www.cms.gov/newsroom/fact-sheets/additional-backgroundsweeping-regulatory-changes-help-us-healthcare-system-address-covid-19-patient.