Click here to read more from our Coronavirus series.
As the nation races to identify treatments and a vaccine for COVID-19, enforcement of the privacy strictures of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has been relaxed. In March, 2020, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced that OCR would exercise enforcement discretion to not impose penalties for HIPAA violations against healthcare providers treating patients through commonly used social media apps. On April 2, 2020, OCR announced that it would not penalize health care providers and their business associates “for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.” And on April 9, 2020, OCR announced that it would not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency. Notwithstanding OCR’s recent announcements, HIPAA’s privacy protections are not obsolete, and relaxed enforcement of the Privacy Rule is not indefinite. Accordingly, anyone covered by HIPAA should maintain robust privacy compliance programs and track closely future announcements by OCR and HHS concerning HIPAA and the Privacy Rule.
An Overview of HIPAA’s Privacy Rule
The Privacy Rule set forth national standards to protect individually identifiable health information, a/k/a personal health information (“PHI”), from public disclosure. PHI includes any information about individuals’ past, present, and future physical or mental health or conditions; healthcare provided to individuals; past, present, and future payment for healthcare provided to individuals; and anything which can reasonably construed as personally identifying the individual in relation to such health information, including social security number, birthdate, name, and residence address.
The Privacy Rule broadly applies to not just health care providers, but also to health plans, health care clearinghouses, and “business associates” that perform certain functions or activities on behalf of, or provides certain services to, health care providers, health plans, and health care clearinghouses, which involve the use or disclosure of PHI. OCR has traditionally construed the business associate category broadly, as including law firms and lawyers, actuaries, accountants and accounting firms, consultant and consulting firms, data aggregators, managers and boards of directors, administrators, accreditors, and persons providing financial services to the covered entities. And in February 2020, OCR clarified that the “business associates” umbrella, and attendant privacy responsibilities under HIPAA, extend to volunteers and other members of a business associate’s workforce beyond standard employees, as well as to subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate. 
At base, the Privacy Rule restricts disclosure of PHI without an individual’s written authorization. Specifically, there are two scenarios where PHI must be disclosed: (1) to individuals or their personal representatives who request access to, or an accounting of disclosures of, their PHI; and (2) to HHS in connection with a compliance investigation or review of enforcement action. OCR has also acknowledged six general scenarios where PHI may be disclosed: (1) directly to the individual whose PHI is involved; (2) by a covered entity for treatment, payment, and health care operations; (3) where permission for disclosure has been informally granted by the individual, or in circumstances where the individual is incapacitated, in an emergency situation, or otherwise unavailable, and the covered entities’ professional judgment concludes disclosure is in the best interests of the individual; (4) incidental to an otherwise permitted use and disclosure of PHI that is protected by reasonable safeguards; (5) in any of 12 specifically enumerated scenarios where after balancing the individual’s privacy interest against the public interest, disclosure is favored, including public health activities and where disclosure is necessary to ameliorate or prevent a serious and imminent threat to a person or the public; and (6) a limited data set for the purposes of research, public health, or health care operations.
COVID-19-Related Enforcement Relaxation
As an emerging response to COVID-19, and consistent with the permissive disclosures of PHI codified in HIPAA, OCR and HHS have announced several discretionary determinations to not enforce certain aspects of the Privacy Rule in the interests of public health. These include:
- Not penalizing doctors and other health care providers that utilize “non-public facing” video communicationfor the good faith provision of any telehealth services during the COVID-19 public health emergency. 
- Waiving sanctions and penalties against covered hospitals in a designated geographic area for certain violations of the Privacy Rule for up to 72 hours from the time that the hospitals implement their disaster protocols, including the Privacy Rules requirements for: obtaining a patient's agreement to speak with family members or friends involved in the patient’s care; honoring a request to opt out of the facility directory; distributing a notice of privacy practices; and honoring the patient’s right to request privacy restrictions and confidential communications.
- Not penalizing covered healthcare providers and business associates for good faith uses and disclosures of PHI for public health and health oversight activities that might otherwise violate the Privacy Rule, provided that the business associate informs the covered entity within ten calendar days after the use or disclosure occurs. This includes PHI disclosures and any PHI data analytics requested from business associates by federal, state, and local health authorities and emergency operations centers, including the Centers for Disease Control and Prevention (“CDC”) and Centers for Medicare and Medicaid Services (“CMS”).
- Not penalizing covered healthcare providers and business associates that implement reasonable safeguards to protect the privacy and security of individuals’ PHI for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith participation in the operation of a COVID-19 Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency, including mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public. 
The Enforcement Relaxation Has Not Nullified HIPAA
Notwithstanding the various announcements of relaxation of enforcement by OCR and HHS during the COVID-19 public health emergency, the privacy restrictions of HIPAA have not been nullified or repealed.
First, OCR’s relaxation of enforcement has been specifically tailored to certain aspects of the Privacy Rule and only certain covered entities and persons. Indeed, OCR and HHS have explicitly reaffirmed with each announcement that enforcement will continue as to other requirements or prohibitions under the Privacy Rule, as well as obligations under HIPAA’s Security and Breach Notification Rules. For example, on April 2, OCR stated, “business associates remain liable for complying with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency.”  Similarly, in March OCR expressly clarified that health insurance companies that merely pay for telehealth services are not covered by the Notice of Enforcement Discretion relating to use of non-public facing video communication. 
Second, OCR and HHS have conspicuously repeated with each discretion announcement that enforcement relaxation will end at the conclusion of the COVID-19 public health emergency. The announcement of an end-date for this relaxation confirms that COVID-19 has not rendered HIPAA’s privacy restrictions obsolete.
Third, the recent announcements concerning enforcement relaxation do not even address a myriad of protections and restrictions imposed by HIPAA, which must therefore be considered fully applicable and enforceable, including, for example:
- Sales of PHI, including PHI obtained during a telehealth communication; 
- Unauthorized use of PHI for marketing purposes; 
- Use and disclosure of genetic information for underwriting purposes; and
- Use of public-facing remote communication products for transmission of PHI, including TikTok, Facebook Live, Twitch, or a chat room like Slack.
The impact of COVID-19 on HIPAA’s Privacy Rule has been significant, but not to the point that HIPAA has been rendered obsolete. The whistleblower provision, 45 C.F.R. § 164.502(j), remains in full effect, and OCR continues to actively pursue enforcement actions, even announcing on April 8, 2019 that it resolved a compliance review of the State of Alabama relating to the state’s removal of ventilator rationing guidelines.  Moreover, when the COVID-19 public health emergency is finally resolved, OCR and HHS’s discretionary announcements will expire. Those with business operations that involve PHI must remain cognizant of the Privacy Rule and HIPAA’s requirements for protecting individuals’ PHI from unauthorized and unpermitted disclosures and uses. Robust compliance programs should be maintained and followed.
Paul Hastings is available to audit existing HIPAA compliance programs, to counsel clients through best steps to reasonably maintain the security and privacy of PHI and to adhere to evolving guidance from OCR and HHS in the wake of COVID-19, and to respond to any enforcement actions or whistleblower notifications.
Click here to read more from our Coronavirus series.
 See “Notification of Enforcement Discretion Under HIPAA to Allow Uses and Disclosures of Protected Health Information By Business Associates for Public Health and Health Oversight Activities in Response to COVID-19,” available at https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf (last visited Apr. 6, 2020) (indicating that enforcement will resume once the Secretary of HHS declares the public emergency to no longer exist or upon the expiration date of the declared public health emergency).
 See 45 C.F.R. § 164.502
 See supra n.iv; 45 C.F.R. § 164.512
See OCR, “FAQs on Telehealth and HIPAA During the COVID-19 Nationwide Public Health Emergency,” available at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf (last visited Apr. 9, 2020).
 See 45 C.F.R. § 164.510.
 See 45 C.F.R. § 164.520.
 See 45 C.F.R. § 164.522.
 See 45 C.F.R. § 164.502(a)(5)(ii); see also supra n.ix.
 See 45 C.F.R. § 164.502(a)(5)(i).