We know. It can be difficult to find accurate and consistent information on HIPAA and the temporary changes due to COVID-19. To that end, we’ve put together a timeline and brief descriptions of the notifications and guidance issued by the OCR during the COVID-19 public health emergency. We hope this briefing will help healthcare organizations understand what they can and cannot do in relation to HIPAA and patient care during the pandemic. Though no deadline is set for the expiration of these temporary notifications, the industry is pushing for some enforcement, especially around telehealth, to remain permanent.
In light of the Novel Coronavirus (2019-nCoV) outbreak, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) provided this bulletin to ensure that covered entities (CEs) and their business associates (BAs) were aware of the ways that protected health information (PHI) may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. The bulletin further stated that the HIPAA Privacy Rule is designed to protect the privacy of patients’ health information but is balanced to ensure that appropriate uses and disclosures may still occur when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.
March 17, 2020
In this press release, the OCR announced that it will exercise enforcement discretion and will waive potential penalties for HIPAA violations against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency, effective immediately. The enforcement discretion applies to widely available communications applications when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19.
March 20, 2020
Following its notification of enforcement discretion, the OCR released new guidance in the form of FAQs to clarify how it will support the good faith provision of telehealth. The guidance includes responses to questions such as:
- What is telehealth?
- Which parts of the HIPAA Rule are included in the enforcement discretion?
- Does the enforcement discretion apply to violations of 42 CFR Part 2?
- When does the enforcement discretion expire?
- What telehealth services are covered?
- What constitutes bad faith?
- What is a “non-public facing” remote communication product?
March 24, 2020
In this announcement, the OCR issued new guidance on how CEs may disclose PHI about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders and public health authorities in compliance with the HIPAA Privacy Rule. According to the guidance document, the HIPAA Privacy Rule permits a CE to disclose PHI under certain circumstances, including:
- When needed to provide treatment
- When required by law
- To notify a public health authority in order to prevent or control spread of disease
- When first responders may be at risk for an infection
- When disclosure is necessary to prevent or lessen a serious and imminent threat
- When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual
March 28, 2020
The OCR issued this new bulletin, written and released to ensure that CEs comply with laws and regulations that prohibit discrimination on the basis of race, color, national origin, disability, age, sex, and exercise of conscience and religion in HHS-funded programs, when making decisions about patient treatment during the COVID-19 healthcare emergency. The bulletin reiterated that the “OCR enforces the Americans with Disabilities Act, Section 504 of the Rehabilitation Act, the Age Discrimination Act, and Section 1557 of the Affordable Care Act which prohibits discrimination in HHS-funded health programs or activities.”
April 2, 2020
OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency
In this notification, the OCR extended its enforcement discretion to apply to business associates, in addition to covered entities, in the use and disclosure of PHI for public health and oversight activities during the COVID-19 pandemic. The extended enforcement discretion does not apply to other requirements under the HIPAA Privacy Rule, such as maintaining security in the transmission of data. As with the enforcement discretion for CEs, the OCR will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against business associates for uses and disclosures of PHI done in good faith.
April 9, 2020
In its latest notification, retroactively effective as of March 13, 2020, the OCR extended its enforcement discretion to now also apply to the operation of COVID-19 testing sites during the COVID-19 public health emergency. The OCR announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules in connection with the good faith use and disclosure of PHI. This notification was issued to support certain CEs and their BAs that choose to participate in the operation of community-based testing sites (CBTSs), which include mobile, drive-through or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
May 5, 2020
The OCR issued its newest guidance, written to remind CEs that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where PHI will be accessible without prior authorization from the patient. This guidance for media and film crews goes on to explain that even during the COVID-19 public health emergency, CEs are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI. The guidance also clarifies that masking or blurring patients’ faces or other identifiable information is not sufficient, as a valid HIPAA authorization is still required before giving the media such access. Finally, the guidance describes reasonable safeguards that should be used to protect the privacy of patients whenever the media is granted access to healthcare facilities.
June 12, 2020
In this announcement, the OCR stated that covered healthcare providers are permitted under HIPAA to use PHI to contact their patients who have recovered from COVID-19, informing them about how they can donate blood and plasma to help other patients with COVID-19. Since this type of activity relates to improving health, case management or care coordination, HIPAA does permit the action, but reminds CEs that they cannot receive any payment from or on behalf of a blood and plasma donation center in exchange for such communications with recovered patients.
Looking for more resources?
- NJ HIMSS Webinar: COVID-19: HIPAA, Telemedicine, Telehealth and More
- NJ HIMSS Webinar: CIO Panel Discussion on Managing IT through the COVID-19 Surge
- Help Me with HIPAA Podcast: HIPAA Privacy Rights Still Exist
- Help Me with HIPAA Podcast: COVID-19 Testing vs HIPAA