Following the declaration of a nationwide public health emergency due to the COVID-19 outbreak, the US Department of Health and Human Services (HHS) has issued waivers of HIPAA penalties and sanctions for good-faith use of telehealth services by health care providers and noncompliance with certain HIPAA Privacy Rule requirements for covered hospitals.
Notice of Enforcement Discretion for Telehealth Services
On March 17, the HHS announced it will waive potential penalties for good-faith use of telehealth during the COVID-19 nationwide public health emergency, even though certain technologies and the manner in which they are used may not comply with HIPAA. In its notice, the HHS stated it will “exercise its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good-faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.”
The HHS specifically listed applications that may be used, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype, but does not include Facebook Live, Twitch, TikTok, and similar public-facing video communication apps. However, the HHS indicated HIPAA-compliant technology vendors that will enter into business associate agreements (BAAs) with providers may be preferred, including Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet, although the HHS did not explicitly endorse any specific products.
Pursuant to the notice, the HHS will not impose penalties against covered health care providers for failing to have BAAs with their video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good-faith provision of telehealth services during the COVID-19 nationwide public health emergency.
Limited Waiver of HIPAA Sanctions and Penalties for Covered Hospitals
The HHS also issued a bulletin indicating it will exercise its authority to waive sanctions and penalties against a covered hospital that does not comply with the following HIPAA Privacy Rule requirements during the nationwide emergency:
- The requirement to obtain a patient’s agreement to speak with family or friends involved in the patient’s care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient’s right to request privacy restrictions
- The patient’s right to request confidential communications
This waiver only applies in the emergency area identified in the public health emergency declaration (which currently applies nationwide across the entire United States), to hospitals that have instituted a disaster protocol, and for up to 72 hours from the time the hospital implements its disaster protocol.
Aside from the limited waivers issued, the HIPAA Privacy Rule has not been set aside during the nationwide public emergency. In its bulletin, the HHS provided guidance to providers describing when patient information may be shared in emergency situations such as the COVID-19 outbreak under HIPAA, including:
- Treatment: For purposes of treatment, which includes coordinating or managing health care and related services by one or more health care providers and others, consultation between providers, and referring patients for treatment.
- Public health activities: This allows providers to share information with public health authorities such as the CDC or state or local health departments for the purpose of preventing or controlling the disease; at the direction of a public health authority to a foreign government agency; and to people at risk of contracting or spreading a disease or condition if authorized by state law.
- Family, friends, and others involved in care: This grants providers the ability to share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care of the patient’s location, general condition, or death, so long as certain conditions under 45 CFR 164.510(b) are met.
- Disclosures to prevent or lessen a serious imminent threat: Consistent with their professional judgment and applicable state law, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat to the health and safety of a person or the public, including family, friends, caregivers, and law enforcement without a patient’s permission.
Providers are reminded they should only disclose the “minimum necessary” information to accomplish the purpose of disclosures.
If you have any questions regarding the content of this alert, please contact Bridget Steele, associate, at bsteele@barclaydamon.com or another member of the Firm’s Health Care & Human Services Practice Area.