COVID-19 Update: New guidance on HIPAA issues
Several important announcements have been made recently to address HIPAA rules during the COVID-19 national emergency.
Relaxation of HIPAA rules to allow public health disclosures by Business Associates
On April 2, 2020, the Office of Civil Rights (OCR) issued formal notice of enforcement discretion regarding public health disclosures by Business Associates. Subject to certain requirements, HIPAA permits Covered Entities to disclose protected health information (PHI) to public health authorities (45 CFR 164.512(b)) and health oversight agencies (45 CFR 164.512(d)). While a Business Associate may make disclosures on behalf of Covered Entities, a fundamental rule is that a Business Associate may only use or disclose PHI as permitted by the terms a business associate agreement or other underlying arrangement or as required by law.
OCR noted that federal and state public health authorities and health oversight agencies have requested PHI from Business Associates for the purpose of ensuring the health and safety of the public during the COVID-19 national emergency, but many have been unable to respond as their business associates agreements do not expressly permit them to make such disclosures of PHI.
OCR announced that to facilitate disclosures for public health and health oversight activities during this nationwide public health emergency, OCR will exercise its enforcement discretion and will not impose penalties against a Business Associate or Covered Entity under the Privacy Rule for making disclosures to public health authorities or health oversight agencies. However, the enforcement is waived only if:
- the Business Associate makes a good faith use or disclosure of the Covered Entity’s PHI for public health activities consistent with 45 CFR 164.512(b) or health oversight activities consistent with 45 CFR 164.512(d); and
- the Business Associate informs the Covered Entity within ten calendar days after the use or disclosure occurs (or commences, with respect to uses or disclosures that will repeat over time).
Examples from OCR of what is permitted include disclosures by Business Associates to (1) the CDC, or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b), and (2) the Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).
In the notice, OCR states that the enforcement discretion does not extend to other requirements or prohibitions under the Privacy, Security or Breach Rules. OCR notes that a Business Associate must comply with the Security Rules during transmission of PHI to a public health authority or health oversight agency.
Disclosures to law enforcement, paramedics and first responders
On March 24, 2020, guidance was issued emphasizing when HIPAA permits disclosures of PHI to law enforcement, paramedics, and other first responders and public health authorities. OCR highlighted that the HIPAA Privacy Rules does allow a Covered Entity to share the name and other identifying information of an individual who has tested positive for COVID-19 with law enforcement, first responders and public health authorities:
- when disclosure is needed to provide treatment;
- when such notification is required by law;
- in order to prevent or control the spread of disease;
- when first responders may be at risk for infection;
- when disclosure is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public; or
- when responding to a request for PHI from a correctional institution or law enforcement having lawful custody of an inmate or other individual.
OCR provided two specific scenarios that may be relevant to many Covered Entities on the front lines of the pandemic. First, a Covered Entity provider may give a list of names and addresses of individuals who have tested positive or received treatment for COVID-19 to an EMS dispatch for use on a per-call basis. Second, a 911 call center that is a Covered Entity may ask COVID-19 screening questions of callers and disclose that information to law enforcement officers being dispatched to relevant locations. In these scenarios, the ability to disclose this PHI allows the first responders and law enforcement officers to take extra precautions, such as the use of personal protective equipment (PPE).
The OCR guidance also noted that the minimum necessary rule applies to such disclosures unless they are required by law or are made for purposes of treatment.
FAQs on telehealth
OCR also issued additional guidance, in the form of FAQs, supplementing the previously announced notification of enforcement discretion regarding the use of telehealth technologies.
The guidance contains helpful clarifications, including:
- Applicability: The enforcement discretion applies to all health care providers but does not apply to health plans or clearinghouses.
- Expiration date: OCR notes that no expiration date has been set for the notice of enforcement discretion and that OCR will issue a notice to the public when it is no longer exercising its enforcement discretion “based upon the latest facts and circumstances.”
- Location of services: OCR expects health care providers will ordinarily conduct telehealth in private settings. If telehealth cannot be provided in a private setting, health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of PHI, such as “using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.”
- Bad faith: It is required that health care providers act in good faith in these circumstances. Examples given of what might constitute acting in bad faith include violations of state licensing laws of professional ethical standards that result in disciplinary action related to the treatment provided via telehealth. For this reason, it is all the more important to ensure telehealth is being provided in accordance with state laws.
- Breach/interception of transmission: OCR notes that it will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. In the event a hack to telehealth technology exposed PHI from a telehealth session, a provider would not face HIPAA penalties.
Civil rights, HIPAA and COVID-19
On March 28, 2020, OCR issued a bulletin focused on Section 1557 of the Affordable Care Act and Section 504 of the Rehabilitation Act, which prohibits discrimination on the basis of disability in HHS-funded health care programs. The bulletin noted that these and other civil rights laws remain in effect during the pandemic, and providers must make decisions regarding whether a person is a candidate for treatment based on an individualized assessment of the best available objective medical evidence. More specifically, OCR reminded health care providers of their obligations (“as resources allow”) to:
- provide effective communication with individuals who are deaf, blind, hard of hearing or visually impaired;
- provide meaningful access to information to individuals with limited English proficiency;
- make emergency messaging available in plain language and in languages prevalent in the affected area;
- address the needs of individuals with disabilities, including those with mobility impairment, those who use assistive devices and individuals with immunosuppressed conditions; and
- respect requests for religious accommodations in treatment and access to clergy as practicable.
OCR noted that some actions or accommodations may not be required if they would fundamentally alter the nature of a program, pose an undue financial or administrative burden, or pose a direct threat.Download PDF