HIPAA Compliance During the COVID-19 Public Health Emergency
An official declaration of a nationwide public health emergency due to the 2019 Novel Coronavirus (“COVID-19”) has resulted in certain discretionary enforcement of specific provisions of the Federal Health Insurance Portability and Accountability Act (“HIPAA”).
The primary laws and rules governing the access, use, disclosure and transmission of confidential patient data are the Administrative Simplification components of HIPAA. HIPAA is directly applicable to health plans, healthcare clearing houses, and health care providers who transmit health information in electronic form (collectively, “Covered Entities”), as well as their business associates. A Covered Entity, or its business associate, may not access or otherwise use or disclose protected health information (“PHI”) without authorization, except where permitted by HIPAA. Permissible uses and disclosures in the absence of an authorization relate specifically to the treatment, payment, or health care operations of a Covered Entity. In the absence of a permissible purpose for disclosure, a Covered Entity or business associate is required to obtain a valid authorization from each applicable patient in order to access, use, and/or disclose PHI. Failure to comply with HIPAA may result in civil money penalties up to $1.5 million and/or exclusion from Medicare.
Although compliance with HIPAA is mandatory at all times, during public health emergencies, the HIPAA Privacy Rule permits the Secretary of the U.S. Department of Health and Human Services to waive penalties for covered hospitals that do not comply with certain HIPAA provisions during the emergency. The waiver only applies: (i) in the identified emergency area; (ii) to hospitals that have implemented a disaster protocol; and (iii) for up to 72 hours from the time the hospital implemented the protocol. Typically, all other Covered Entities and Business Associates must still adhere to HIPAA and its requirements.
However, due to the declaration of this nationwide emergency, compliance with certain HIPAA provisions that affect telehealth services will not be strictly enforced at this time. Earlier today, the Office for Civil Rights (“OCR”) announced:
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19
Based on this discretion, a Covered Entity may use any non-public facing remote communication product, such as FaceTime or Skype, to render telehealth services to patients, irrespective of whether the telehealth encounter is related to COVID-19. Providers will not face penalties for utilizing potentially unsecure video services or for failing to have business associate agreements with the applicable technology provider(s). However, providers using widely available video conferencing programs are encouraged to notify their patients that such platforms pose privacy risks, and to enable any available encryption or privacy modes available on the platforms.
How Frier Levitt Can Help
The outbreak of COVID-19 continues to significantly affect the health care industry and how providers can render medical care. For more information on available HIPAA waivers or guidance on permissible disclosures of PHI under HIPAA during this outbreak, contact Frier Levitt.