HIPAA and the Coronavirus Pandemic

The spread of coronavirus (COVID-19) to the United States triggered questions about HIPAA compliance and enforcement. Initially, the United States Department of Health and Human Services (HHS) declined to relax the requirements of the HIPAA Privacy Rule. Instead, on February 3, 2020, HHS issued Bulletin: HIPAA and the Novel Coronavirus. That bulletin details the flexible approach of the HIPAA Privacy Rule in setting the parameters for the authorized use and disclosure of protected health information (PHI) in situations like the current pandemic. In particular, the bulletin focuses on the authorized uses and disclosures of PHI related to treatment and public health concerns that would be most relevant in a response to the current public health emergency. The bulletin also reiterates the general requirement of the HIPAA Privacy Rule that only the minimum amount of PHI necessary should be used or disclosed, as well as the general obligation to safeguard PHI.

What was initially an epidemic has developed into pandemic. HHS Secretary Alex M. Azar declared a public health emergency effective March 15 at 6:00 p.m. In connection with that declaration, on March 16, HHS announced a limited waiver of the enforcement of certain provisions of the HIPAA Privacy Rule in its COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency (“March Bulletin”). The limited waiver applies to hospitals that have instituted a disaster protocol and waives sanctions and penalties for noncompliance with several provisions of the HIPAA Privacy Rule, including the requirement to obtain the patient’s permission before speaking with family or friends involved in the patient’s care and patient’s rights to request (a) additional restrictions on disclosure of the PHI and (b) confidential communications. The exemption is short-lived, expiring 72 hours after the hospital has implemented its disaster protocol, or sooner if the public health emergency and the national state of emergency are terminated. The text of the limited waiver is only a small part of the March 16 bulletin, which includes a reiteration of the February 3 bulletin, thereby making clear that the limited waiver contained therein is, in fact, quite limited, and the HIPAA Privacy Rule remains substantially in effect.

In response to the risks of treating patients for COVID-19, HHS has issued Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency, advising healthcare providers that they will not be subject to penalties for HIPAA noncompliance in connection with the good-faith provision of telehealth treatment, which is not limited to treatment of COVID-19. In the Notification, HHS acknowledges the desire of some healthcare providers to utilize remote communications technologies to treat patients. HHS also acknowledges that not all of those technologies are fully compliant. The technology utilized for telehealth may not be public-facing. The Notification authorizes the use of popular apps for telehealth and identifies certain apps that are HIPAA-compliant and other apps that are public-facing and, therefore, not HIPAA compliant. Telehealth providers must advise patients of potential privacy risks from using the apps and must utilize encryption and privacy settings to maximize privacy. The Notification also identifies, but does not endorse, video communication vendors that claim to be HIPAA-compliant. Telehealth providers, however, will not be penalized for failure to enter into a HIPAA-compliant business associate’s agreement with a video communications vendor.

HHS has responded to the COVID-19 pandemic by waiving some of the requirements of the HIPAA Privacy Rule. Those waivers are limited. Future developments in the COVID-19 pandemic could trigger more waivers that could ease or complicate HIPAA compliance. By way of example, the “good faith” requirement and the limited guidance on appropriate technologies and vendors leave room for different interpretations of the telehealth waiver. Meanwhile, the HIPAA Privacy Rule largely remains in place, with several provisions directly impacting the use and disclosure of PHI during a public health emergency. The simultaneous existence of the HIPAA Privacy Rule and waivers has the potential for complicating HIPAA compliance, and those complications are only magnified by the pressures under which healthcare providers are currently working. Gibbons healthcare and data privacy attorneys are highly adept and experienced at identifying statutes, governmental regulations, and sub-regulatory guidance governing the use, disclosure, and protection of sensitive data like PHI. They can help you navigate the existing statutes and regulations, as well as the current governmental guidance, while you are attending to the business of patient care.

For more information about current HIPAA regulatory and sub-regulatory guidance, contact David N. Crapo of the Gibbons Healthcare Team and Financial Restructuring & Creditors’ Rights Department.

To view all client alerts in Gibbons “The Coronavirus Pandemic and Your Business: How We Can Help” Series, click here. Please also be sure to follow Gibbons on LinkedIn for a continuous feed of COVID-19 related updates and other important business, industry, and firm news.