The COVID-19 pandemic has quickly caused at least a temporary restructuring of the U.S. healthcare system. This restructuring has impacted not only service delivery and healthcare funding but also the privacy of patients’ information. In the course of several weeks, the Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced important changes to how the agency will enforce the nation’s most significant health privacy law, the Health Insurance Portability and Accountability Act (HIPAA), and its privacy, security, and breach regulations.
These changes are intended to give providers and other healthcare organizations more flexibility in how they share protected health information (PHI) in responding to the pandemic. They apply to hospitals treating COVID-19 patients, COVID-19 testing centers, and telehealth providers, among other organizations. While these changes are intended to address the immediate needs of the COVID-19 pandemic and therefore typically are set to expire once the COVID-19 public health emergency ends, they may have a more lasting impact than OCR anticipates, as they could lead to calls for more permanent HIPAA reforms.
The following summarizes the key actions that OCR has taken to modify HIPAA in response to the COVID-19 pandemic.
Section 1135 allows HHS to waive the provisions of numerous healthcare laws and regulations during certain public health emergencies. The provisions subject to waiver include Medicare and Medicaid conditions of participation, sections of the Emergency Medical Treatment and Labor Act (EMTALA), sanctions under the physician self-referral law (commonly called the Stark Law), and Medicare telehealth requirements. Section 1135 also permits HHS to waive HIPAA provisions that relate to obtaining the patient’s agreement to speak to family members or friends, honoring a patient’s request to opt out of a facility directory, distributing a notice of privacy practices, and respecting patients’ rights to request privacy restrictions. However, these waivers apply only to hospitals in the 72-hour period after they begin implementation of their disaster protocols. The 72-hour period requirement may reflect the fact that the statute was drafted with the expectation that hospitals would need to respond to short-term disasters like hurricanes, not months-long crises like pandemics.
When HHS Secretary Alex Azar issued the first COVID-19 “blanket” 1135 waiver on March 13, HHS waived these HIPAA requirements to the fullest extent permitted under the statute. But since these HIPAA waivers are so narrow, they had limited impact. In effect, the HIPAA waivers meant that hospitals, for a 72-hour period after they had declared they were operating under a disaster protocol, could ignore a few HIPAA rules. But since this waiver is limited to a three-day period, the waiver did not have a significant impact on hospital operations and had no impact on providers other than hospitals.
Recognizing that the 1135 waiver did not provide significant HIPAA flexibilities, OCR followed with three notifications of enforcement discretion in the following weeks. Under these notifications, OCR said it would not impose penalties on an organization subject to the guidance if it complied with the terms of the guidance, even if the organization’s actions otherwise violated HIPAA.
The first and potentially most important notification of enforcement discretion was issued on March 17, applying to telehealth providers. OCR waived all provisions of the HIPAA privacy, security, and breach notification rules if a telehealth provider acted in good faith compliance with the guidance. This meant, for example, that a provider did not need to use a communications technology that complied with the HIPAA security rule, but instead could use other technologies—such as Zoom, FaceTime, or Skype—that might not meet all HIPAA requirements but are nevertheless designed to be non-public facing. The guidance applies to providers only, not health plans. Importantly, the enforcement discretion applies regardless of whether a patient has or is suspected of having COVID-19. Thus, to facilitate social distancing, even if a provider knows that a particular patient does not have COVID-19, the provider can still use the flexibilities under the guidance to provide telehealth.
Although the waiver is broad, OCR emphasized that providers should still seek to follow certain precautions in their telehealth practices. In a subsequent Q&A, OCR indicated that providers should attempt to communicate in private settings, and if that is not possible, they should implement reasonable safeguards such as not using a speakerphone while talking to a patient in a public place. Providers also should not act in “bad faith,” which could occur if the provider either sells patient data it obtains via telehealth or violates state ethical guidelines in the provision of telehealth, among other circumstances.
On April 2, OCR followed its telehealth guidance with a notification of enforcement discretion regarding business associates making disclosures for public health purposes. Under current law, business associates are permitted to make disclosures to public health agencies such as the Centers for Disease Control (CDC) and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS) only if the contract between the business associate and the HIPAA-covered entity permits such disclosures. Public health authorities found that such contractual provisions could present a barrier to data disclosures for public health purposes, since agencies like CDC might have to wait for data repositories holding important COVID-19 information—such as electronic health record platforms or health information exchanges—to amend their business associate agreements before disclosing their data to the government. This enforcement discretion does not apply to all of HIPAA, but only to the requirement that business associates comply with the provisions in their business associate agreements regarding public health and health oversight disclosures.
On April 9, OCR issued a third notice of enforcement discretion regarding community-based testing sites (CBTSs), which are mobile, drive-through, or walk-up sites that provide specimen collection for COVID-19 testing. Since such sites are often set up in semipublic places such as parking lots, providers operating these sites often struggle to comply with certain HIPAA rules that assume the patient is being treated in a more private setting. As with the telehealth guidance, the notification of enforcement discretion broadly applies to the HIPAA privacy, security, and breach notification rules, but OCR nevertheless asks CBTSs to attempt to comply with certain HIPAA requirements, such as implementing the minimum necessary rule,1 using secure technologies to transmit PHI, and posting a notice of privacy practices. The guidance applies only to the CBTS itself. For instance, if a pharmacy operates a CBTS in its parking lot, it will not need to comply with much of HIPAA in regards to its specimen collection in the parking lot, but HIPAA will still fully apply when the pharmacy provides drugs to patients within its four walls.
The following chart summarizes OCR’s actions under the 1135 waiver and its notifications of enforcement discretion:
In addition to the waiver and the notifications of enforcement discretion, OCR has issued guidance intended to help providers navigate disclosures in response to COVID-19. For example, the guidance issued on March 24 describes how law enforcement, paramedics, and other first responders can use and disclose PHI in responding to the COVID-19 pandemic. The guidance notes that HIPAA-covered entities may disclose a patient’s COVID-19 diagnosis to police officers and other first responders who may have been exposed to the patient. Disclosures are also permitted to “fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.” While this guidance does not change HIPAA rules, it provides some clarity as to how HIPAA applies in the pandemic context.
While OCR’s changes offer some relief to providers responding to the COVID-19 pandemic, they are not a “get-out-of-jail-free card” when it comes to privacy compliance. The guidance only means that OCR itself will not impose penalties against organizations if they comply with the terms of the guidance. But providers need to ensure they comply with other applicable state privacy laws to the extent they are still in effect2 and with the federal substance use disorder confidentiality regulations at 42 C.F.R. Part 2, if applicable.3 State breach notification laws are also still in effect, so even if an organization is not required to follow HIPAA breach notification requirements, it may still have to provide breach notification in compliance with the state’s law, depending on how broadly such law applies and whether the state has waived any aspect of that law.
Beyond immediate compliance issues, the changes may lead to more long-term changes to HIPAA. The telehealth enforcement discretion was motivated in part by the desire to permit practitioners to provide services via telehealth to new patients without asking them to sign a notice of privacy practices. Even when the COVID-19 pandemic subsides, the greater use of telehealth will likely continue (see the Manatt Insights telehealth 50-state survey for more). HHS and Congress will eventually need to decide whether certain HIPAA privacy requirements will need to remain in force in a post-pandemic world.
NOTE: On May 12, Manatt Health is hosting a new webinar, “COVID-19: Remapping the Healthcare Privacy Landscape.” During the program, we will explore the range of legal changes to healthcare privacy that the COVID-19 pandemic is driving, including both immediate impacts and long-term consequences. Click here to register free and earn CLE.
1 Under the HIPAA privacy rule, covered entities generally should take reasonable steps to limit the use or disclosure of, and requests for, PHI to the minimum necessary to accomplish the intended purpose. The minimum necessary rule is subject to limited exceptions; for example, disclosures made for purposes of treatment are not subject to this requirement.
2 Some states have also issued waivers of their privacy laws in light of the COVID-19 pandemic. On April 3, California Governor Gavin Newsom issued an executive order waiving certain state privacy laws to support the provision of telehealth.
3 The Substance Abuse and Mental Health Services Administration (SAMHSA) has not issued any waivers of its rules in response to the COVID-19 pandemic, but has issued guidance that emphasizes that if a provider is offering telehealth services, it is up to the provider, not SAMHSA, to determine whether the emergency exception to the Part 2 rules apply. See https://www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2-guidance-03192020.pdf. In addition, Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act (CARES Act) permanently changed some of the rules governing disclosure of substance use disorder information, but how the provision will be implemented by HHS remains to be seen.