Is Your Organization HIPAA Compliant During COVID-19?
Shakeups to the regulatory landscape surrounding health care and the practice of medicine have been constant and considerable during the COVID-19 pandemic. Though the response is evolving, there have been two notable developments related to the Health Insurance Portability and Accountability Act (HIPAA):
- On March 17, 2020, the HHS’ Office of Civil Rights (OCR) issued a Notification of Enforcement Discretion to provide greater flexibility for providing telehealth services via the use of remote communication technology; and
- Effective as of March 15, 2020, the HHS issued a Limited Waiver of HIPAA sanctions and penalties against covered hospitals and providers who do not comply with certain HIPAA Privacy Rules during the pandemic.
Both actions are a product of the COVID-19 pandemic following the declaration of a nationwide public health emergency. The new guidance is meant to ease building burdens placed on providers during this time, mitigate the spread of the virus, and enable greater access to patient information to aid in addressing the national crisis.
Though they free providers from historically tedious rules, the measures are not a free pass to forgo compliance efforts, nor do they immunize providers from potential penalties and reproach. On the contrary; they place providers in a position where best practices and comprehensive compliance protocols must be implemented to limit risks.
HIPAA Enforcement Discretion
Providers offering telehealth services during the COVID-19 national public health emergency will do so under a temporary policy of enforcement discretion. The policy allows providers to ensure remote access to care for patients, and reduce risks of transmission among providers and the public alike.
Per the OCR Notification:
- The discretion will apply to telehealth provided for any reason (coronavirus-related or not), and to any non-public facing remote communication product.
- The OCR will not impose penalties for non-compliance with HIPAA Security Rules against covered providers who provide telehealth services during the COVID-19 national public health emergency via traditionally non-compliant communication technologies if services are provided in good faith.
Specifically, OCR will allow providers to use any non-public facing video or audio communication technology to provide telemedicine services, and references examples of vendors and technologies that can and cannot be used under OCR’s new guidance:
- HIPAA-Compliant for Telehealth: Skype for Business / Microsoft Teams, Updox, VSee, Google G Suite Hangouts Meet, Zoom for Healthcare, Doxy.me, Cisco Webex Meetings, Amazon Chime, and GoToMeeting (these vendors will enter into HIPAA BAAs).
- Technologies That Can Be Used for Telehealth: FaceTime, Facebook Messenger Video Chat, Google Hangouts Video, Skype.
- Technologies That Cannot Be Used: Facebook Live, Twitch, TikTok.
While OCR is implementing greater discretion for telemedicine during COVID-19, every provider must still exercise professional judgment is numerous areas, particularly when:
- Determining whether telehealth is appropriate for evaluating or treating medical issues;
- Using an appropriate means of nonpublic-facing remote communication;
- Ensuring they comply with applicable state law (as telehealth is heavily regulated at the state level) prior to initiating telehealth services;
- Establishing a comprehensive and effective compliance plan.
Limited Waiver of HIPAA Sanctions & Penalties
Effective as of March 15, 2020, HHS Secretary Alex M. Azar exercised authority to waive sanctions and penalties against covered hospitals that don’t comply with the following HIPAA Privacy Rule provisions:
- Obtaining patient agreement to speak with family members or friends involved in their care - 45 CFR 164.510(b);
- Honoring requests to opt out of facility directories - 45 CFR 164.510(a);
- Distributing notice of privacy practices - 45 CFR 164.520;
- Patients’ rights to request privacy restrictions - 45 CFR 164.522(a);
- Patients’ rights to request confidential communications - 45 CFR 164.522(b);
The HHS COVID-19 & HIPAA Bulletin noted that when a waiver is issued, it applies only:
- In Emergency Areas identified in the public health emergency declaration (currently, the entire U.S.);
- To Hospitals with implemented disaster protocol; and
- For up to 72 hours from the time hospital disaster protocol is instituted.
Even in emergency situations, covered hospitals and entities (i.e. health plans, health care clearinghouses, and providers that electronically conduct one or more health care transactions) must still take reasonable measures to implement safeguards that protect patient information from disclosures.
Covered entities and business associates must additionally apply technical (ePHI encryption, authentication, etc.), administrative (risk assessment, training, contingencies), and physical safeguards (controlled access, managed workstations, mobile device policies) of the HIPAA Security Rule to electronically protected health information.
COVID-19: Ensuring HIPAA Compliance & Minimizing Risks
In times of national emergencies, the federal government has a vested interest in clearing burdens for needed care and public safety, especially when it comes to sharing protected health information that can help prevent or control a disease. However, regulatory discretion and waivers do not eliminate risks of breaches or potential penalties and sanctions.
To manage risk exposure and ensure compliance, providers and covered entities are best served by experienced legal counsel capable of conducting the comprehensive assessments needed to evaluate vulnerabilities, manage privacy and security, prepare for audits, implement training and emergency protocol, and oversee compliance in a complex and constantly evolving environment.
At Hendershot Cowart, P.C., our health and medical lawteam draws from decades of collective experience to assist providers across Texas and the U.S. in a range of regulatory compliancematters – including those involving HIPAA, telemedicine, OSHA compliance, medical contracts, and the COVID-19 crisis. Call today to speak with an attorney.