Skip to the content

Office for Civil Rights Relaxes HIPAA Enforcement in Response to COVID-19 Pandemic

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) has issued several Notifications of Enforcement Discretion (“Notifications”) stating its intent not to enforce certain regulatory requirements under the Health Insurance Portability and Accountability Act, as amended by the Health Information for Economic and Clinical Health Act (“HIPAA Rules”), for the duration of the public health emergency resulting from the COVID-19 pandemic.  OCR has also issued guidance regarding the ways in which health information may be used and shared during this unprecedented time (“Guidance”).  Covered Entities and their Business Associates are cautioned, however, that the HIPAA Rules remain in place and that appropriate action will be taken against those whose conduct exceeds the scope of the Notifications and Guidance. 

Below are summaries of the Notifications and Guidance issued by OCR.  Complete copies of the Notifications and Guidance can be found at: https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.

  • In February of 2020, as the COVID-19 outbreak was beginning in the U.S., OCR issued a Bulletin regarding HIPAA Privacy and the Novel Coronavirus. This Bulletin discussed the applicability of the HIPAA Rules and outlined the many ways in which Covered Entities and Business Associates can legally use and share Protected Health Information (“PHI”).  These include, but are not limited to, uses and disclosures for treatment; public health activities; disclosure to family, friends, and others involved in an individual’s care and for notification; disclosures to prevent a serious and imminent threat; and disclosures to media or others not involved in the care of a patient.  Important takeaways include:
    • Reports can be made to public health authorities such as the CDC or a state or local health department for the purpose of controlling a disease such as COVID-19. This includes reporting on patients who have been exposed to, or who are suspected of or confirmed to have, COVID-19, as well as patient deaths resulting from COVID-19.  It also includes reports for purposes of contact tracing, to the extent that notifications of this type are authorized by state law.
    • Healthcare providers can notify family, friends and other contacts of an individual who has been exposed to, or is suspected of or confirmed to have, COVID-19. This should be done if a healthcare provider, exercising professional judgment, believes that such notifications are necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. 
    • OCR advises extreme caution when dealing with the media. Affirmative reporting to the media about an individual patient, including tests conducted and test results, is prohibited without the patient’s prior consent except to provide general patient status (e.g. critical, stable, deceased).  
  • On March 17, 2020, OCR announced Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. OCR indicated that it will not impose penalties for noncompliance with the HIPAA Rules against Covered Entities in connection with the good faith provision of telehealth during the COVID-19 pandemic.  Of note:
    • A provider that uses audio or video communication technology to provide telehealth to patients must use non-public facing remote communication products (e.g. Apple FaceTime, Facebook Messenger, Google Hangouts, Zoom, or Skype).
    • A provider should notify patients of the privacy risks associated with these applications and enable all encryption and privacy modes when using the applications.
    • Public-facing applications are not authorized for telehealth and should not be used (e.g. Faceobok Live, Twitch, TikTok).
    • A Business Associate Agreement with the video communication vendor is not
    • The Notification applies to telehealth for any reason, even if it is not related to the diagnosis or treatment of COVID-19. 
  • On March 20, 2020, OCR published Guidance on Telehealth Remote Communications. This Guidance was in the form of FAQs, linked below, that clarify how OCR is applying the Notification of Enforcement Discretion to support the good faith provision of telehealth services at a time when limiting social contact is critical.  It includes, by way of example, guidance regarding the settings in which telehealth visits should be conducted (e.g. private office or at a reasonable distance from others if complete privacy is not an option), as well as what might constitute bad faith in the provision of telehealth services (e.g. conduct in furtherance of a criminal act such as fraud, violation of state licensing laws or use of public-facing remote communication products).[1]  https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf 
  • On March 24, 2020, OCR issued Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19. This Guidance clarifies the circumstances in which an individual’s COVID-19 status or other PHI can be shared with law enforcement, EMS personnel, first responders, and other’s involved with the individual’s care, as well as public health authorities. 
    • For law enforcement, EMS personnel, first responders and others involved with an individual’s care these circumstances include:
      • Treatment communications (e.g. SNF can advise EMS personnel of a patient’s COVID-19 status so they can properly care for the individual while transporting to a hospital)
      • Notification to EMS personnel and others that they may have been exposed to COVID-19 and are at risk of contracting or spreading the disease (e.g. local health department can notify a police officer of exposure to a patient determined to be COVID-19 positive)
      • Disclosures intended to prevent or lessen a serious and imminent threat to a person or the public (e.g. EMS dispatch notifying responding personnel of an individual’s COVID-19 status based on list of COVID-19 positive patients provided by a hospital; 911 call center screening callers and advising responding law enforcement personnel about potential infection and exposure)
      • To a correctional institution or law enforcement official if the PHI is needed for the provision of healthcare to an individual in lawful custody, to protect others who come into contact with an infected or potentially infected individual and for law enforcement and administration and maintenance functions at a correctional institution (e.g. a prison physician can share an inmate’s COVID-19 status with correctional officers at the facility).
    • For public health authorities these include:
      • Notifications required by law (e.g. notification to DPH of suspected and confirmed cases of COVID-19)
      • Notifications to prevent or control the spread of COVID-19 (e.g. notification to DPH or CDC of suspected or confirmed cases of COVID-19)
    • The Guidance reminds Covered Entities that the minimum necessary requirements of the HIPAA Rules continue to apply. It also provides several real-world examples of the applicability of HIPAA in the context of COVID-19 and emergency response and how to best manage the dissemination of information.  
  • On April 2, 2020, OCR announced Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. OCR indicated that it will not impose penalties against Covered Entities or their Business Associates for violating the HIPAA Rules in making good faith disclosures of PHI for public health and health oversight activities related to COVID-19.  Covered Entities are already authorized to make such disclosures and now Business Associates are permitted to share data in a similar fashion without risk of a HIPAA penalty.  The Notification in essence allows Business Associates to disclose PHI in ways not contemplated in their Business Associate Agreements (something otherwise prohibited by the HIPAA Rules) and Covered Entities do not have a responsibility to stop these disclosures (something they are otherwise required to do by the HIPAA Rules).  Examples would be having Business Associates make direct disclosures of COVID-19 related PHI to state emergency operations centers or conduct public health data analytics on behalf of a Covered Entity.  All other HIPAA Rules related to Business Associates remain in effect and enforceable. 
  • On April 9, 2020, OCR announced Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency. OCR indicated that it will not impose penalties against Covered Entities or Business Associates in connection with the good faith operation of COVID-19 community-based testing sites (“CBTS”).  This includes mobile, drive-through and walk-up specimen collection and testing sites that test for COVID-19 only, such as those being operated by large pharmacy chains.  Covered Entities and Business Associates are encouraged to use reasonable safeguards at CBTSs such as installing canopies and opaque barriers to ensure patient privacy, controlling foot and car traffic in the vicinity of the test site, establishing a media “buffer zone,” using secure technology to transmit records, and posting an NPP for patient to review.  This notification is retroactive to March 13, 2020, and does not apply to a provider’s operations separate from the CBTS.    
  • On May 5, 2020, OCR issued Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities. OCR reminded providers that the HIPAA Rules do not allow media or film crews access to areas where patients and their PHI are accessible without prior authorization from every patient whose PHI will be accessible.  Masking or obscuring patients’ faces or identifying information before broadcast (but after filming) is not sufficient because the disclosure of PHI to individuals from the media or film crews without patient authorization is itself a HIPAA violation.  Even with signed authorizations, reasonable safeguards should be put in place such as obscuring electronic health information displayed on computer screens.  Patients cannot be required to sign a media-access authorization as a condition of treatment. 

[1] On April 22, 2020, Governor Lamont issued Executive Order 7DD, which modified Section 19a-906(f) of the Connecticut General Statutes to permit certain practitioners to provide telehealth services utilizing information and communication technologies consistent and in accordance with OCR’s directives on remote communication during the COVID-19 pandemic. 

If you have any questions or need assistance with HIPAA or other healthcare-related issues, contact Jennifer Groves Fusco at (203) 786-8316 or jfusco@uks.com

Disclaimer: The information contained in this material is not intended to be considered legal advice and should not be acted upon as such. Because of the generality of this material, the information provided may not be applicable in all situations and should not be acted upon without legal advice based on the specific factual circumstances.