HHS and CMS Issue Guidance on HIPAA and Telehealth, Respectively, in the Wake of the COVID-19 Outbreak
The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently released a bulletin reiterating the ways that patient information may be shared under the Health Insurance Portability and Accountability Act (HIPAA) privacy rule in an outbreak of infectious disease or other emergency situation. The bulletin serves as a reminder that the protections of HIPAA remain in effect during an emergency. HIPAA protects the privacy of patients’ health information while allowing for appropriate disclosures to treat a patient, to protect the nation’s public health and for other critical purposes. Importantly, the HHS bulletin highlights that patient information may be shared without a patient’s authorization if the information is 1) necessary to treat that patient or a different patient; 2) disclosed in the furtherance of public health; 3) shared with a caregiver regardless of his or her familial ties to the patient; or 4) necessary to “prevent or lessen a serious and imminent threat to the health and safety” of an individual or the public. In light of the coronavirus (COVID-19) pandemic, healthcare providers should anticipate requests for patient health information for various public health purposes. Providers should review the HHS bulletin, in addition to their policies and procedures, and familiarize themselves with how and when patient information may be used or disclosed in such instances.
Additionally, the onset and rapid spread of the COVID-19 virus has reignited discussion on the benefits of telehealth. The Centers for Medicare & Medicaid Services (CMS) just issued a fact sheet with additional guidance for healthcare providers and patients about the telehealth benefits in the agency’s Medicare program. On March 6, 2020, Congress passed the Coronavirus Preparedness and Response Supplemental Appropriations Act which gives HHS the authority to waive or modify certain telehealth Medicare requirements when the president has declared a national emergency, or the HHS secretary has declared a public health emergency, as Secretary Alex Azar did in January of this year. The legislation allows the HHS secretary to waive traditional telehealth requirements such as the originating site requirement and permits providers to deliver telehealth services to Medicare beneficiaries under limited conditions. Health care providers must still comply with state telehealth laws and regulations and should review the restrictions in their state and seek legal counsel if uncertain about how they may proceed. See CMS’s recent press release for more.
Finally, on March 12, CMS published a set of COVID-19 FAQs for state Medicaid and Children’s Health Insurance Program (CHIP) agencies. Information on this and other CMS COVID-19 matters can be found at the CMS Current Emergencies Website.