Responding to the COVID-19 national public health emergency, on March 13, 2020, the Secretary of the U.S. Department of Health and Human Services (HHS) exercised the authority granted by Section 1135 of the Social Security Act to waive certain requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations for covered hospitals. On March 17, 2020, in response to HHS’ subsequent waiver of certain conditions for payment of telehealth, the HHS Office for Civil Rights (OCR) announced its enforcement discretion to promote greater flexibility with respect to HIPAA privacy and security rule (HIPAA Rules) compliance in telehealth.
On March 17, 2020, OCR published a Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. The notification is effective immediately and remains in place for the duration of the COVID-19 national emergency. It grants providers flexibility to use certain videoconferencing technologies, even if not fully compliant with the HIPAA Rules. By temporarily broadening the scope of telehealth permissibility, OCR facilitates the ability of providers to assess a greater number of patients while limiting the risk of infection of others who would be exposed from an in-person encounter.
- OCR will use discretion and not impose penalties for certain noncompliance
OCR recognizes that during the COVID-19 national emergency, healthcare providers may seek to communicate with patients and provide telehealth services through remote communications technologies and methods that are otherwise not fully in compliance with the HIPAA Rules. OCR announced that it will not impose penalties for noncompliance with applicable HIPAA requirements against providers that provide telehealth services in good faith using any non-public facing remote communication product.
- What kinds of telehealth are permitted?
A healthcare provider may use any non-public-facing remote communication product to communicate with patients (e.g., FaceTime, Facebook messenger video chat, Google Hangouts, and Skype are all explicitly permitted). Providers are still encouraged to advise patients of the potential privacy risks with using such interfaces, and they should use all encryption and privacy modes, to the extent available. Public-facing video applications are not permitted (e.g., Facebook Live, Twitch, Tik Tok are expressly excluded).
OCR reminds providers that for additional privacy protections while using video communication mechanisms, they should use technology vendors that are HIPAA compliant and enter appropriate business associate agreements with such vendors (e.g., Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet).
- Does this notification only apply to telehealth for COVID-19 treatment?
OCR’s exercise of enforcement discretion will extend to telehealth provided for any reason – not just treatment for COVID-19.
Limited HIPAA Waivers
On March 13, 2020, the Secretary of HHS exercised the authority granted by Section 1135 of the Social Security Act to waive certain requirements of the HIPAA privacy regulations applicable to covered hospitals. The following is a summary of the scope and duration of this waiver, as well as of considerations for healthcare providers and other covered entities (and their business associates) in light of the national emergency.
- What requirements of the HIPAA privacy regulations have been waived?
The HIPAA waivers apply by their terms to hospitals that have instituted a disaster protocol. Non-hospital providers do not appear to be covered by the HIPAA waivers or the authority granted by Section 1135 of the Social Security Act.
The waivers do not universally waive all HIPAA requirements for such hospitals – rather, HHS waived only the sanctions and penalties arising from noncompliance with the following provisions:
- The requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt-out of the facility directory (as set forth in 45 C.F.R. § 164.510).
- The requirement to distribute a notice of privacy practices (as set forth in 45 C.F.R. § 164.520).
- The patient’s right to request privacy restrictions or confidential communications (as set forth in 45 C.F.R. § 164.522).
The language above specifically waives the obligation to distribute a notice of privacy practices (which is technically only required upon a material change of the notice). It is not clear whether this was intended to also waive the requirements by healthcare providers to furnish a notice no later than the date of the first service delivery (or, in the case of an emergency, as soon as reasonably practicable), to make a good faith effort to obtain an acknowledgment of receipt, and to make the notice available on request.
In addition, the above waivers are effective only if actions under the waiver do not discriminate on the basis of a patient’s source of payment or ability to pay.
- When do the waivers take effect, and for how long do they remain in effect?
The waivers announced by HHS generally took effect at 6:00 P.M. Eastern Standard Time on March 15, 2020. HHS has exercised its discretion to give them a retroactive effect to March 1, 2020.
However, the effective date and duration of the HIPAA waivers discussed above are more limited because waivers are only effective for up to 72 hours from the time a hospital implements its disaster protocol. The window for utilizing the waiver will remain open for 60 days (or until the presidential declaration of national emergency or secretarial declaration of public health emergency terminates). After that, a hospital must then comply with all the requirements of HIPAA privacy regulations for any patient still under its care, even if 72 hours have not elapsed since the implementation of its disaster protocol.
- What information can be shared to prevent the spread of COVID-19 (even outside the waivers)?
Healthcare providers, other covered entities, and their business associates not eligible for the waivers remain subject to all requirements of the HIPAA privacy regulations. Those able to take advantage of the waivers remain subject to all non-waived provisions of the HIPAA privacy regulations (in other words, most of the requirements of HIPAA). There are several provisions in HIPAA that permit uses and disclosures of protected health information (PHI) that may help respond to COVID-19.
Permitted uses and disclosures under the HIPAA privacy regulations (in all situations, regardless of the waivers) include the following:
Research and Public Health: Release of a Limited Data Set
HIPAA permits the use and disclosure of a limited data set (LDS) provided that (1) the parties first enter into a compliant data use agreement, and (2) the LDS is used and disclosed only for public health, research or healthcare operations purposes. A data use agreement is a simple agreement specifying terms mandated by HIPAA (who may receive the LDS, what the LDS may be used for, the obligation to safeguard the LDS and certain other terms). An LDS data use agreement is much less onerous than a business associate agreement.This exception also provides greater flexibility to covered entities, since an LDS may include dates of service and geographic information (other than street address), unlike the de-identification safe harbor. An LDS is information that has been de-identified, except that elements of dates (such as date of birth or date of service) and location (e.g., state and zip code) may remain. The use of an LDS and compliant data use agreement allows covered entities to share valuable information that can assist researchers and public health authorities in tracking aggregated COVID-19 outcomes without violating HIPAA’s privacy requirements.
Other Public Health Activities
HIPAA also permits several types of disclosures under the public health exception, including:
- Disclosures of PHI to a public health authority (, the U.S. Centers for Disease Control and Prevention (CDC); state or local health department) for the purpose of controlling disease. For instance, a covered entity may disclose PHI to the CDC to the extent needed to report all prior and prospective cases of patients exposed to COVID-19.
- Disclosures of PHI to a foreign government agency that is acting in collaboration with a public health authority, at the direction of a public health authority.
- Disclosures of PHI to a person who may have been exposed or may otherwise be at risk of contracting or spreading a disease as necessary to prevent or control the spread of disease, to the extent permitted by other law (, state and local law). For instance, a physician may disclose a patient’s COVID-19 diagnosis to others that live in the same household as the patient without the patient’s authorization.
Preventing a Serious and Imminent Threat
HIPAA permits certain disclosures of PHI to a person or persons reasonably able to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, provided the disclosure of PHI is necessary to prevent or lessen such threat and the disclosure is consistent with applicable law and the provider’s ethics standards. HIPAA defers to the covered entity’s professional judgment in making a “good faith” determination, taking into account the nature and severity of the threat.
Family and Friends and for Notification Purposes
HIPAA permits certain disclosures to a patient’s family and friends or to certain disaster-relief entities to notify family members of patient information, including:
- Disclosures of PHI to a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care, provided the PHI being disclosed is limited to that which is necessary to the person’s involvement in the patient’s care. Covered Entities should get verbal permission for such disclosures, if possible. If the patient is incapacitated or otherwise unavailable, the covered entity may disclose PHI for these purposes if doing so is in the patient’s best interest (in their professional judgment). However, enforcement of noncompliance with the requirement to obtain verbal permission is subject to the 72-hour waivers available to certain hospitals discussed in Section 1(a), above.
- Disclosures of PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, to coordinate with such entities the disclosure of PHI for notifying family members about a patient’s location, general condition, or death.
Employers and Public Health
Disclosures of PHI to a patient’s employer for public health activities are permissible in narrow circumstances, but the requirements are difficult to meet. From a practical perspective, providers may find it simpler (and less risky) to request that individuals sign a waiver before reporting PHI to their employers. Nevertheless, a covered entity may use or disclose PHI to an employer about an individual who is a member of the employer’s workforce (without an authorization), if:
- The covered entity is a provider who provides healthcare to the individual at the request of the employer: (1) to conduct an evaluation relating to medical surveillance of the workplace; or (2) to evaluate whether the individual has a work-related illness or injury.
- The PHI disclosed consists of findings concerning a work-related illness or injury or workplace-related medical surveillance.
- The employer needs such findings to comply with its obligations under certain state or federal occupational health and safety regulations to record such illness or injury or to carry out responsibilities for workplace-related medical surveillance.
- The provider provides written notice to the individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer: (1) by giving a copy of the notice to the individual at the time the healthcare is provided; or (2) if the healthcare is provided on the worksite of the employer, by posting the notice in a prominent place at the location where the healthcare is provided.
HIPAA permits uses and disclosures of PHI about the patient as necessary to treat the patient. Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and third parties, as well as consultation between providers.
- What are additional considerations for covered entities and business associates during a national emergency?
- Disclosures of PHI to the media are generally not permitted unless an exception applies or the individual signs a valid HIPAA authorization to allow the disclosure.
- Covered entities and business associates must make reasonable efforts to limit uses and disclosures of and requests for PHI to the “minimum necessary” amount needed to accomplish the purpose of the use, disclosure or request. For instance, in response to a request for PHI from the CDC, a covered entity may only provide the minimum amount of PHI necessary for the CDC’s public health purpose (the covered entity may rely on the CDC’s representations as what constitutes the “minimum necessary” in this case). Covered entities must also limit access to PHI to only those workforce members who need it to carry out their job functions. For instance, practitioners may not look up COVID-19 test results of patients unless doing so is necessary to carry out their job duties.
- Cyberattacks on healthcare entities’ computer systems remain a genuine threat, particularly to the extent cyber-vigilance is relaxed or resources are diverted to address other COVID-19 issues. For example, on March 16, 2020, HHS confirmed a cyberattack on its computer system over the weekend, suspecting a foreign actor as the culprit.
If you have any questions regarding the HIPAA requirements in light of the spread of COVID-19, please contact the authors of this content.