HHS Office of Civil Rights Announces Guidance to Assist Providers in Navigating HIPAA During the COVID-19 Public Health Emergency

During the early weeks of the Novel Coronavirus (2019-n-CoV) outbreak, the HHS Office of Civil Rights (OCR) recognized that HIPAA-covered entities and business associates had questions about how to share needed PHI relating to COVID-19. Since that time, HHS has issued several Notices, Bulletins, and FAQs in an effort to: (1) ensure covered entities (CE) and business associates (BA) are aware of the way PHI may be shared under the HIPAA Privacy Rule in the event of an outbreak of infectious disease or other emergency situations; and (2) removing the fear of HIPAA prosecution and punishment related to PHI disclosures made by CE in their treatment of patients with COVID-19.  These announcements have helped educate CE and BA regarding the fact that although an emergency does not obviate the existence and enforcement of HIPAA’s Privacy Rule, the Department will be exercising “enforcement discretion” for certain methods of sharing PHI that otherwise may not be fully compliant with HIPAA, as long as that information is shared based on a good faith belief that use or disclosure is necessary for patient treatment or public health reasons.  

Guidance on Disclosures to First Responders and Public Health Authorities

On February 3, 2020, HHS released guidance addressing the ways that the HIPAA Privacy Rule permitted the use or disclosure of PHI in many circumstances that may arise during the COVID-19 outbreak.  This guidance confirmed that the Privacy Rule permits a CE to disclose the PHI of an individual who has been infected with or exposed to COVID-19 with law enforcement, paramedics, other first responders, and public health authorities, without the individual’s HIPAA authorization in certain circumstances.  Several example circumstances were given, including:

• When disclosure is needed to provide treatment (45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(2) - HIPAA permits a covered entity to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital emergency department.
• When notification is required by law (45 CFR 164.512(a)) – HIPAA permits a covered entity to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
• To notify a public health authority in order to prevent or control spread of disease (45 CFR 164.512(b)(1)(i); 45 CFR 164.501) – HIPAA permits a covered entity to disclose PHI to a public health authority, such as the CDC or state public health departments, that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions.
• When first responders may be at risk of infection (45 CFR 164.512(b)(1)(iv)) – CEs may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the CE is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation.
• When disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public (45 CFR 164.512(j)(1)) – A CE may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat.
• When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual (45 CFR 164.512 (k)(5)) – CEs may disclose PHI in response to a request from a correctional institute or law enforcements official having lawful custody of an inmate or other individual if the facility or official represents that the PHI is needed for: (a) providing health care to the individual; (b) the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates; (c) law enforcement on the premises of the correctional institution; or (d) the administration and maintenance of the safety, security, and good order of the correctional institution.

Notably, except when disclosure of PHI is required by law or for treatment, a CE still must make reasonable efforts to limit used or disclosed PHI to the “minimum necessary” to accomplish the disclosure’s purpose. (45 CFR 164.502(b)

Section 1135 Waivers

Section 1135 of the Social Security Act provides that when a President declares a disaster or emergency under the Stafford Act of National Emergencies Act and the HHS Secretary declares a public health emergency under Section 319 of the Public Health Service Act, the Secretary is authorized to take certain actions in addition to his or her regular authority, including issuing waivers of certain Medicare, Medicaid, and Children’s Health Insurance Program requirements. These waivers typically end no later than the termination of the emergency period, unless extended by notice for additional periods. Notably, 1135 waivers apply only to Federal requirements, and do not apply to State requirements. 

On January 31, 2020, the HHS Secretary declared a public health emergency under the Public Health Service Act. On March 13, 2020, President Trump declared a national emergency under the National Emergencies Act and made an emergency determination under the Stafford Act.  These actions triggered the HHS Secretary’s authority to issue waivers of certain Medicare, Medicaid, and Children’s Health Insurance Program requirements as provided by Section 1135 of the Social Security Act.  Following President Trump’s emergency declaration on March 13, CMS announced a set of waivers relating to the COVID-19 emergency.

• 1135 Waiver Relating to the Use of Telehealth Communication Applications

On March 17, 2020, the HHS Office for Civil Rights (OCR) released a Notice of Enforcement Discretion applicable to all health care providers covered by HIPAA and providing telehealth services during the emergency.  Among other things, the Notice recognized that “during the COVID-19 national emergency, which also constitutes a public health emergency, covered health providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communication technologies.”  HHS further acknowledged that some telehealth technologies and the manner in which they are used may not fully comply with HIPAA. In its Notice, HHS attempted to strike a balance between ensuring the security of an individual’s PHI and an individual’s need for treatment via telehealth applications.

OCR stated it would exercise its enforcement discretion and not impose penalties for covered health care providers who, with the good faith provision of telehealth during the COVID-19 emergency, were noncompliant with the requirements of the HIPAA Rules. OCR explicitly recognized that covered health care providers may use apps for video chats, including Apple FaceTime, Facebook Messenger Video Chat, Google Hangouts video, Zoom, or Skype to provided telehealth services without risk that OCR might seek to impose penalties for noncompliance.  Providers were urged to notify patients that those kinds of third-party applications potentially introduce privacy risks, and it cautioned that providers should enable all available encryption and privacy modes when using the applications.

OCR also identified several public-facing video chat applications that should not be used in the provision of telehealth by covered health care providers, including Facebook Live, Twitch, TikTok, and similar video communication apps. Additionally, it noted that covered health care providers who seek additional privacy protections for telehealth while using services through technology vendors should do so with HIPAA-compliant vendors who will enter into Business Associate Agreements (BAA) in the provision of their video communication products.

• Rule 1135 Waiver Relating to Disclosures of Covered Entities During Covid-19 Emergencies

On March 16, 2020, the HHS Secretary announced multiple waivers of sanctions and penalties for specific provisions of the HIPAA Privacy Rule during the nationwide COVID-19 public health emergency pursuant to Section 1135 of the Social Security Act. The waivers apply to the following HIPAA provisions:

• The requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (45 CFR 164.510);
• The requirement to distribute a notice of privacy practices (45 CFR 164.520); and
• The patient’s right to request privacy restrictions or confidential communications (45 CFR 164.522).

The waiver specifically noted that the above waivers only apply to the Privacy Rule requirement: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

• 1135 Waiver Relating to the Good Faith Uses and Disclosures of PHI by Business Associates

On April 2, 2020, HHS issued a Notification of Enforcement Discretion under HIPAA to Allow Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19. HHS noted that current HIPAA Privacy Rule regulations allowed a HIPAA business associate (BA) to use and disclose PHI for public health and health oversight only if expressly permitted by its BB with a HIPAA covered entity (CE).

Exercising its enforcement discretion, HHS announced that OCR would not impose potential penalties for violations of certain provisions of the HIPAA Privacy Rule against covered health providers or their BAs for uses and disclosures of PHI by BAs for public health and health oversight activities during the COVID-19 emergency. The notification states it will remain in place until the HHS Secretary declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.

OCR’s enforcement discretion comes into play only if the BA made a good faith use or disclosure of the CE’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d) and the BA informs the CE within ten (10) calendar days after the use or disclosure occurs or commences.

Examples of these types of disclosures may include PHI disclosure to the CDC (or similar State-level authority) for the purpose of controlling the spread of COVID-19, consistent with 45 CFR 164.512(b); or to CMS (or similar state-level public health authority) for purposes of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).

The Notice specified that its exercised enforcement discretion did not extend to other requirements or provisions under the Privacy Rule, or to any obligations under the HIPAA Security and Breach Notification Rules. BAs remain responsible for complying with the Security Rule’s requirements to implement safeguards and maintain the confidentiality, integrity, and availability of electronic PHI, including by ensuring secure transmission of ePHI to the public health authority or health oversight agency.