As a result of the novel Coronavirus pandemic, the Office for Civil Rights (OCR) recently issued several pieces of guidance to help HIPAA covered entities and their business associates to best address how patient information may be shared under the HIPAA Privacy Rule during an infectious disease outbreak or other emergency situation.
Waiver of HIPAA Penalties for Use of Technology in Telehealth Care Delivery
On March 17, 2020, OCR announced that it would be exercising its enforcement discretion to waive potential HIPAA penalties for providers that serve patients via telehealth through “everyday communications technologies”. The idea is to permit providers to use communication tools like Skype, Facebook Messenger, Google Hangouts and Apple FaceTime for treatment purposes, even if the technologies’ use might not fully comply with the HIPAA Security Rule. Importantly, OCR’s waiver is limited to “non-public facing” technologies that are used in the good-faith delivery of telehealth during the COVID national emergency. Note that the waivers apply to the delivery of care via telehealth for any reason, which means there is no need for the care to be connected to COVID for the waivers to apply. However, the waivers do not extend to “public” facing technology, such as Facebook Live or TikTok. OCR also explains that it will not impose penalties against providers who use technology without a valid business associate agreement, as long as the activity relates to the good faith delivery of telehealth curing the current national public health emergency. Unlike the waiver discussed below, the exercise of enforcement discretion for care delivery via telehealth applies to all health care providers that are covered entities (not just hospitals).
Waiver of Privacy Rule Requirements for Hospitals
Beginning on March 15, 2020, certain sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule may be waived during the nationwide public health emergency to assist patients to receive the care they need:
- Requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
- Requirement to honor a request to opt out of a facility directory;
- Requirement to distribute a notice of privacy practice;
- Patient’s right to request privacy restrictions; and
- Patient’s right to request confidential communications.
When the Secretary of the Department of Health and Human Services issues such a waiver, it only applies to the following:
- The emergency area identified in the public health emergency declaration;
- Hospitals that have instituted a disaster protocol; and
- For up to 72 hours from the time the hospital implements its disaster protocol.
In addition, when the declaration terminates, the hospital must comply with all HIPAA Privacy Rule requirements, even if less than 72 hours after implementing the disaster protocol.
In addition to the limited waiver for hospitals described above, OCR has published guidance explaining how the HIPAA Privacy Rule applies in the event of a national emergency. This guidance is summarized below.
More on HIPAA Privacy and Disclosures in Emergency Situations
Sharing Patient Information
Treatment – Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information (PHI) about the patient as necessary to treat the patient or to treat a different patient. Treatment includes coordination or management of health care and related services by one or more health care providers and others, consulting between providers, and referring patients for treatment.
What does this mean? A health care provider, who has a patient test positive for the Coronavirus, may disclose the positive test results to other health care providers to coordinate or manage the patient’s treatment by other providers, consultants, or to refer the patient for treatment or to treat a different patient.
Public Health Activities – The Privacy Rule allows a “public health authority” such as an agency or authority of the United States government, a State, territory or Indian tribe to have access to PHI without individual authorization to carry out their public health mission.
When does the Rule permit covered entities to disclose PHI to a public health authority without authorization?
- When a public health authority needs the PHI on an ongoing basis to report all prior and prospective cases of patients to or suspected or confirmed to have COVID-19.
- At the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority.
- To persons at risk of contracting or spreading a disease or condition to prevent or control the spread of the disease or to carry out public health interventions or investigations.
For example: a patient test positive for COVID-19, the hospital or physician may report the positive finding to the public health department, CDC or other authority to allow for interventions or investigations into the spread of the disease.
Disclosures to Family, Friends and Others in an Individual’s Care and for Notification – A covered entity may share PHI with a patient’s family members, relatives, friends or other persons identified by the patient as involved in the patient’s care. In addition, a covered entity may share PHI about a patient as necessary to identify, locate and notify family members, guardians or anyone else responsible for the patient’s care, of the patient’s location, general condition or death, including when necessary to notify family members and others, police, press or the public at large.
The following caveats apply to such disclosures:
- The covered entity should obtain verbal permission from individuals or otherwise to reasonably infer the patient does not object, when possible; if the patient is incapacitated or unavailable, PHI may be shared if, in the covered entity’s professional judgment, the sharing is in the patient’s best interest.
- A covered entity may also share PHI with disaster relief organizations authorized by law of their charters to assist in disaster relief efforts, to coordinate notification of family members or others involved in the patient’s care, of the patient’s location, general condition or death. No patient authorization is needed to share the information so as not to interfere with the organization’s ability to respond to the emergency.
- For example, an elderly incapacitated patient tests positive for the Coronavirus, the covered entity may share relevant information, i.e. the positive test, with the patient’s adult child, but should not share unrelated information about the patient’s medical history without authorization.
Disclosures to Prevent or Lessen a Serious and Imminent Threat – If health care providers in their professional judgment determine the nature and severity to health and safety warrants disclosure, PHI may be shared with anyone as needed to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable local, state or federal statutes, regulations or case law and provider’s standards of ethical conduct.
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification – In general, information about an identifiable patient to the public or media may not be done without the patient’s or the patient’s personal representative’s written authorization. When a patient has not objected or restricted the release of PHI, a covered hospital or other health care facility may, upon a request to disclose PHI about a particular patient asked for by name, may release limited facility directory information acknowledging an individual is a patient and provide basic information about the patient’s condition, i.e. critical, stable, deceased or treated and released. When the patient is incapacitated, and disclosure is believed to be in the best interest of the patient and is consistent with any prior preferences expressed by the patient.
Minimum Necessary – In most cases, a covered entity must make reasonable efforts to limit disclosed information to the “minimum necessary” to accomplish the purpose. However, covered entities may rely on representations from public health authority or other public officials that requested information is the minimum necessary for the purpose, when that reliance is reasonable.
- For example, a covered entity may rely on CDC representations that PHI it requests about patients exposed to, suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose. However, covered entities should continue to limit their internal use and access to PHI to only those workforce members who need the PHI to carry out their work duties.
Safeguarding Patient Information – During emergencies covered entities must continue to have reasonable safeguards in place to prevent intentional or unintentional uses and disclosures of PHI. Covered entities and their business associates must also apply the administrative, physical and technical safeguards of the HIPAA Security Rule to electronic protected health information (e-PHI).
HIPAA Applies Only to Covered Entities and Business Associates – Be mindful that HIPAA does not apply to other entities and persons who are not covered entities or business associates, but other state or federal rules may apply to disclosures.
Business Associates – A business associate of a covered entity, including a business associate that is a subcontractor, may make disclosures permitted by the Privacy Rule, as outlined above, on behalf of a covered entity or other business associate to the extent authorized by its business associate agreement.
****
During time of emergency, it is important for covered entities and business associates to continue to implement the reasonable safeguards in place, and continue to implement those safeguards throughout the emergency. As covered entities and business associates are confronted with new and different challenges and questions related to COVID-19, they should seek legal assistance to help confront the unique situations being presented.
LathropGPM is ready to assist health care providers and entities as they are confronted with the novel legal and compliance challenges an emergency such as COVID-19 presents. If you have questions about HIPAA, please contact Denise Bloch or Jesse Berg or any member of the Lathrop GPM health law team.