HIPAA Waivers and “Enforcement Discretion” During COVID-19

Categories : Coronavirus

Types : Alerts

The Department of Health and Human Services (“HHS”) has implemented limited 1135(b) waivers of certain Medicare requirements while the HHS Office of Civil Rights (“OCR”) has announced a policy of “enforcement discretion” and will not impose potential penalties for violations of certain HIPAA privacy regulations, all during the COVID pandemic. Enforcement of current HIPAA privacy regulations may have thwarted the prompt and efficient exchange of protected healthcare information (“PHI”) during a time of a substantial increase in the need for medical services. It is intended that the 1135(b) waivers along with OCR’s enforcement discretion will increase the efficiency and availability of critical health services to individuals enrolled in Social Security Act programs.

The March 2020 1135(b) waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency, effective March 15, 2020, waived sanctions and penalties against any covered hospital that did not comply with the HIPAA Privacy Rule requirements to: (1) obtain a patient’s agreement to speak with family members or friends involved in the patient’s care; (2) distribute a notice of privacy practices; honor a patient’s request to opt out of the facility directory; and (3) honor a patient’s right to request privacy restrictions or confidential communications. The limited waiver applies to hospitals when disaster protocols are instituted and lasts for a period of time not to exceed 72 hours.

OCR has issued notifications and bulletins addressing telehealth, community-based testing sites, and uses and disclosures of PHI by business associates (OCR will likely continue to issue additional notifications and bulletins). Each OCR notification and bulletin advises that it will exercise its “enforcement discretion” and waive potential penalties for certain HIPAA privacy rule violations during the COVID-19 pandemic.

Telehealth

A Medicare 1135(b) waiver has expanded access to telehealth services by providing broader access during the public health emergency. In order to encourage this expanded use, OCR will exercise its enforcement discretion and not impose penalties for noncompliance with certain HIPAA Rules.  The waiver has loosened many of the former restrictive Medicare requirements for telehealth. The waived requirements include:

1. Permission to provide telehealth services to a patient at home
2. A patient need not reside in a rural area or healthcare professional shortage area; and
3. A patient need not be an established patient, but may be a new patient.

The formerly limited means of communications to provide telehealth are expanded to permit healthcare professionals, in good faith, to use an array of non-public facing remote communications applications to assess or treat patients who are at risk of COVID-19 infection or any other medical condition, whether or not related to COVID-19. Providers using a video chat application such as Zoom, Google, or other similar applications should advise patients of possible privacy risks and enable encryption and privacy modes. Public facing communications applications like Facebook Live, Twitch, and Tik Tok, for example, are not permitted.

Business associate agreements are required with any communications vendor.

Community-based testing sites (CBTS) (April 9, 2020 retroactive to March 13, 2020)

The OCR will exercise its enforcement discretion and not impose penalties against health care providers and their business associates who participate in “good faith” in the operation of a CBTS for COVID-19 specimen collection or testing services to the public during the nationwide public health emergency. Providers and their business associates are encouraged to implement reasonable safeguards such as setting up canopies to provide privacy, controlling foot and auto traffic to maintain privacy and social distancing, using secure technology, establishing a “buffer zone” to prevent the public and the  media from observing and/or filming participants, posting signs prohibiting filming and posting a Notice of Privacy Practices or, if applicable, how to obtain the NPP online.

Uses and Disclosures of Protected Health Information by Business Associates

OCR will exercise its enforcement discretion and will not impose penalties for noncompliance against covered entities or their business associates for violations of certain provisions of the HIPAA Privacy Rule related to the requirements for written business associate agreements and subcontractor agreements which meet HIPAA regulatory requirements. A business associate may use or disclose PHI in good faith, regardless of whether the terms of the business associate agreement permit such disclosures. Any use or disclosure must be for public health or health oversight activities and the covered entity (the health care provider) must be informed of the use or disclosure within ten (10) calendar days. Business associates are still required to comply with all other requirements of the Privacy, Security & Breach Notification Rules.

Both the 1135(b) waivers and the OCR’s implementation of “enforcement discretion” will last until HHS announces the end of the national public health emergency. Covered entities and business associates proceeding “in good faith” should not lose sight of compliance with state health care and privacy laws and regulations during the COVID 19 pandemic.

Montgomery McCracken’s attorneys are available to readily advise and assist clients. Visit the firm’s Coronavirus (COVID-19) Resource Center for more information and updates on this constantly evolving situation.