Relaxation of HIPAA Restrictions in the COVID-19 Era
By Sherrese Smith & Adam Reich
As the nation races to identify treatments and a vaccine for COVID-19, enforcement of the privacy strictures of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) has been relaxed. In March, 2020, the Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) announced that OCR would exercise enforcement discretion to not impose penalties for HIPAA violations against healthcare providers treating patients through commonly used social media apps.
An Overview of HIPAA’s Privacy Rule
The Privacy Rule set forth national standards to protect individually identifiable health information, a/k/a personal health information (“PHI”), from public disclosure. PHI includes any information about individuals’ past, present, and future physical or mental health or conditions; healthcare provided to individuals; past, present, and future payment for healthcare provided to individuals; and anything which can reasonably construed as personally identifying the individual in relation to such health information, including social security number, birthdate, name, and residence address.
The Privacy Rule broadly applies to not just health care providers, but also to health plans, health care clearinghouses, and “business associates” that perform certain functions or activities on behalf of, or provides certain services to, health care providers, health plans, and health care clearinghouses, which involve the use or disclosure of PHI. OCR has traditionally construed the business associate category broadly, as including law firms and lawyers, actuaries, accountants and accounting firms, consultant and consulting firms, data aggregators, managers and boards of directors, administrators, accreditors, and persons providing financial services to the covered entities.
At base, the Privacy Rule restricts disclosure of PHI without an individual’s written authorization. Specifically, there are two scenarios where PHI must be disclosed: (1) to individuals or their personal representatives who request access to, or an accounting of disclosures of, their PHI; and (2) to HHS in connection with a compliance investigation or review of enforcement action.
COVID-19-Related Enforcement Relaxation
As an emerging response to COVID-19, and consistent with the permissive disclosures of PHI codified in HIPAA,
Not penalizing doctors and other health care providers that utilize “non-public facing” video communicationfor the good faith provision of any telehealth services during the COVID-19 public health emergency.
Waiving sanctions and penalties against covered hospitals in a designated geographic area for certain violations of the Privacy Rule for up to 72 hours from the time that the hospitals implement their disaster protocols, including the Privacy Rules requirements for: obtaining a patient's agreement to speak with family members or friends involved in the patient’s care;honoring a request to opt out of the facility directory;distributing a notice of privacy practices;and honoring the patient’s right to request privacy restrictions and confidential communications.
Not penalizing covered healthcare providers and business associates for good faith uses and disclosures of PHI for public health and health oversight activities that might otherwise violate the Privacy Rule, provided that the business associate informs the covered entity within ten calendar days after the use or disclosure occurs. This includes PHI disclosures and any PHI data analytics requested from business associates by federal, state, and local health authorities and emergency operations centers, including the Centers for Disease Control and Prevention (“CDC”) and Centers for Medicare and Medicaid Services (“CMS”).
Not penalizing covered healthcare providers and business associates that implement reasonable safeguards to protect the privacy and security of individuals’ PHI for noncompliance with the regulatory requirements under the HIPAA Rules in connection with the good faith participation in the operation of a COVID-19 Community-Based Testing Site (“CBTS”) during the COVID-19 nationwide public health emergency, including mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
The Enforcement Relaxation Has Not Nullified HIPAA
Notwithstanding the various announcements of relaxation of enforcement by OCR and HHS during the COVID-19 public health emergency, the privacy restrictions of HIPAA have not been nullified or repealed.
First, OCR’s relaxation of enforcement has been specifically tailored to certain aspects of the Privacy Rule and only certain covered entities and persons. Indeed, OCR and HHS have explicitly reaffirmed with each announcement that enforcement will continue as to other requirements or prohibitions under the Privacy Rule, as well as obligations under HIPAA’s Security and Breach Notification Rules. For example, on April 2, OCR stated, “business associates remain liable for complying with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency.”
Second, OCR and HHS have conspicuously repeated with each discretion announcement that enforcement relaxation will end at the conclusion of the COVID-19 public health emergency. The announcement of an end-date for this relaxation confirms that COVID-19 has not rendered HIPAA’s privacy restrictions obsolete.
Third, the recent announcements concerning enforcement relaxation do not even address a myriad of protections and restrictions imposed by HIPAA, which must therefore be considered fully applicable and enforceable, including, for example:
Sales of PHI, including PHI obtained during a telehealth communication;
Unauthorized use of PHI for marketing purposes;
Use and disclosure of genetic information for underwriting purposes;and
Use of public-facing remote communication products for transmission of PHI, including TikTok, Facebook Live, Twitch, or a chat room like Slack.
The impact of COVID-19 on HIPAA’s Privacy Rule has been significant, but not to the point that HIPAA has been rendered obsolete. The whistleblower provision, 45 C.F.R. § 164.502(j), remains in full effect, and OCR continues to actively pursue enforcement actions, even announcing on April 8, 2019 that it resolved a compliance review of the State of Alabama relating to the state’s removal of ventilator rationing guidelines.
Paul Hastings is available to audit existing HIPAA compliance programs, to counsel clients through best steps to reasonably maintain the security and privacy of PHI and to adhere to evolving guidance from OCR and HHS in the wake of COVID-19, and to respond to any enforcement actions or whistleblower notifications.