March 19, 2020
To learn more about Lathrop GPM, click here ›
Health Alert: OCR Issues Guidance to Assist Health Care Providers in the Age of the Coronavirus
As a result of the novel Coronavirus pandemic, the Office for Civil Rights (OCR) recently issued several pieces of guidance to help HIPAA covered entities and their business associates to best address how patient information may be shared under the HIPAA Privacy Rule during an infectious disease outbreak or other emergency situation.
Waiver of HIPAA Penalties for Use of Technology in Telehealth Care Delivery
On March 17, 2020, OCR announced that it would be exercising its enforcement discretion to waive potential HIPAA penalties for providers that serve patients via telehealth through “everyday communications technologies”. The idea is to permit providers to use communication tools like Skype, Facebook Messenger, Google Hangouts and Apple FaceTime for treatment purposes, even if the technologies’ use might not fully comply with the HIPAA Security Rule. Importantly, OCR’s waiver is limited to “non-public facing” technologies that are used in the good-faith delivery of telehealth during the COVID national emergency. Note that the waivers apply to the delivery of care via telehealth for any reason, which means there is no need for the care to be connected to COVID for the waivers to apply. However, the waivers do not extend to “public” facing technology, such as Facebook Live or TikTok. OCR also explains that it will not impose penalties against providers who use technology without a valid business associate agreement, as long as the activity relates to the good faith delivery of telehealth curing the current national public health emergency. Unlike the waiver discussed below, the exercise of enforcement discretion for care delivery via telehealth applies to all health care providers that are covered entities (not just hospitals).
Waiver of Privacy Rule Requirements for Hospitals
Beginning on March 15, 2020, certain sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule may be waived during the nationwide public health emergency to assist patients to receive the care they need:
When the Secretary of the Department of Health and Human Services issues such a waiver, it only applies to the following:
In addition, when the declaration terminates, the hospital must comply with all HIPAA Privacy Rule requirements, even if less than 72 hours after implementing the disaster protocol.
In addition to the limited waiver for hospitals described above, OCR has published guidance explaining how the HIPAA Privacy Rule applies in the event of a national emergency. This guidance is summarized below.
More on HIPAA Privacy and Disclosures in Emergency Situations
Sharing Patient Information
Treatment - Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information (PHI) about the patient as necessary to treat the patient or to treat a different patient. Treatment includes coordination or management of health care and related services by one or more health care providers and others, consulting between providers, and referring patients for treatment.
What does this mean? A health care provider, who has a patient test positive for the Coronavirus, may disclose the positive test results to other health care providers to coordinate or manage the patient’s treatment by other providers, consultants, or to refer the patient for treatment or to treat a different patient.
Public Health Activities – The Privacy Rule allows a “public health authority” such as an agency or authority of the United States government, a State, territory or Indian tribe to have access to PHI without individual authorization to carry out their public health mission.
When does the Rule permit covered entities to disclose PHI to a public health authority without authorization?
For example: a patient test positive for COVID-19, the hospital or physician may report the positive finding to the public health department, CDC or other authority to allow for interventions or investigations into the spread of the disease.
Disclosures to Family, Friends and Others in an Individual’s Care and for Notification – A covered entity may share PHI with a patient’s family members, relatives, friends or other persons identified by the patient as involved in the patient’s care. In addition, a covered entity may share PHI about a patient as necessary to identify, locate and notify family members, guardians or anyone else responsible for the patient’s care, of the patient’s location, general condition or death, including when necessary to notify family members and others, police, press or the public at large.
The following caveats apply to such disclosures:
Disclosures to Prevent or Lessen a Serious and Imminent Threat – If health care providers in their professional judgment determine the nature and severity to health and safety warrants disclosure, PHI may be shared with anyone as needed to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable local, state or federal statutes, regulations or case law and provider’s standards of ethical conduct.
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification – In general, information about an identifiable patient to the public or media may not be done without the patient’s or the patient’s personal representative’s written authorization. When a patient has not objected or restricted the release of PHI, a covered hospital or other health care facility may, upon a request to disclose PHI about a particular patient asked for by name, may release limited facility directory information acknowledging an individual is a patient and provide basic information about the patient’s condition, i.e. critical, stable, deceased or treated and released. When the patient is incapacitated, and disclosure is believed to be in the best interest of the patient and is consistent with any prior preferences expressed by the patient.
Minimum Necessary – In most cases, a covered entity must make reasonable efforts to limit disclosed information to the “minimum necessary” to accomplish the purpose. However, covered entities may rely on representations from public health authority or other public officials that requested information is the minimum necessary for the purpose, when that reliance is reasonable.
Safeguarding Patient Information – During emergencies covered entities must continue to have reasonable safeguards in place to prevent intentional or unintentional uses and disclosures of PHI. Covered entities and their business associates must also apply the administrative, physical and technical safeguards of the HIPAA Security Rule to electronic protected health information (e-PHI).
HIPAA Applies Only to Covered Entities and Business Associates – Be mindful that HIPAA does not apply to other entities and persons who are not covered entities or business associates, but other state or federal rules may apply to disclosures.
Business Associates – A business associate of a covered entity, including a business associate that is a subcontractor, may make disclosures permitted by the Privacy Rule, as outlined above, on behalf of a covered entity or other business associate to the extent authorized by its business associate agreement.
During time of emergency, it is important for covered entities and business associates to continue to implement the reasonable safeguards in place, and continue to implement those safeguards throughout the emergency. As covered entities and business associates are confronted with new and different challenges and questions related to COVID-19, they should seek legal assistance to help confront the unique situations being presented.
LathropGPM is ready to assist health care providers and entities as they are confronted with the novel legal and compliance challenges an emergency such as COVID-19 presents. If you have questions about HIPAA, please contact Denise Bloch or Jesse Berg or any member of the Lathrop GPM health law team.
© 2020 LATHROP GPM, ALL RIGHTS RESERVEDCLICK HERE TO UNSUBSCRIBE | POWERED BY FIRMSEEK
The information contained in this document is provided to alert you to legal developments and should not be considered legal advice. It is not intended to and does not create an attorney-client relationship. Specific questions about how this information affects your particular situation should be addressed to one of the individuals listed. No representations or warranties are made with respect to this information, including, without limitation, as to its completeness, timeliness, or accuracy, and Lathrop GPM shall not be liable for any decision made in connection with the information. The choice of a lawyer is an important decision and should not be based solely on advertisements.
If you do not wish to receive any further communication from Lathrop GPM LLP, please send an email to firstname.lastname@example.org with the subject UNSUBSCRIBE.