HHS Issues Temporary Waiver of HIPAA Penalties for Hospitals in Response to COVID-19

 

by Mark Paulding

In light of the spread of COVID-19, Secretary of Health and Human Services Alex Azar has released two statements relaxing HIPAA enforcement against healthcare providers concerning: (1) the exercise of certain patient rights under the Privacy Rule and (2) privacy and security safeguards applicable to video conferencing tools used to provide telehealth services.

Waiver of Sanctions and Penalties Regarding Patient Rights

The first statement temporarily waives sanctions and penalties that would normally be applicable to hospitals. HIPAA regulatory requirements covered by this limited waiver include:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;

  • The requirement to honor a request to opt out of the facility directory;

  • The requirement to distribute a notice of privacy practices;

  • The patient’s right to request privacy restrictions; and

  • The patient’s right to request confidential communications.

The statement also provides a summary of existing HIPAA provisions regarding disclosure of protected health information for public health purposes. Secretary Azar is authorized to issue such temporary waivers under the Project BioShield Act of 2004 and has been invoked during public emergencies such as Hurricane Dorian relief efforts in Puerto Rico, Florida, Georgia, South Carolina, and North Carolina..

Ultimately, this waiver is fairly narrow, limited to hospitals only. The waiver does not apply to other types of HIPAA covered entities, such as pharmacies and insurers. In addition, the waiver only applies to hospitals that have implemented a disaster protocol. This waiver will last no longer than 72 hours after the disaster protocol has been initiated.

Enforcement Discretion Regarding Video Conferencing Services for Telehealth Purposes

The second statement announces that HHS will not pursue enforcement actions against health care providers who, in good faith, use “any non-public facing remote communication product” to communicate with patients during the COVID-19 national emergency. This enforcement safe harbor applies to any health care services provided during the national emergency, whether it is related to COVID-19 or not. Health care providers may use “non-public facing” applications such as Skype, Apple FaceTime, Google Hangouts, and Facebook Messenger to provide telehealth services. However, the notice expressly notes that public-facing applications, such as Facebook Live, TikTok, and Twitch should not be used for telehealth purposes.

When using remote communication products, health care providers should notify patients that these technologies may present privacy risks. Furthermore, health care providers should activate all available privacy and security safeguards, including encryption, embedded in these products. Despite HHS’ choice to exercise discretion in this area, the agency recommends that health care providers use services that are HIPAA compliant to the degree feasible.