New HIPAA Waivers for Health Care Providers During the COVID-19 Emergency
This post provides an update on a number of HIPAA waivers that have just been made available to health care providers: (1) Waivers for hospitals in the initial 72 hours of enacting a disaster protocol; and (2) Waivers for all health care providers to allow them to use “everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency” for the provision of patient care services. Each waiver is addressed more fully, below:
Waivers for Hospitals in the Initial 72 Hours of Enacting a Disaster Protocol
First, the Secretary of the Department of Health and Human Services (HHS) has issued limited HIPAA waivers to hospitals. The waivers are retroactive to March 15, 2020. See the HHS HIPAA waiver document here. We addressed the possibility of these waivers in our earlier post, available here, along with a summary of some of the main HIPAA laws already in place which may be helpful to covered entities and business associates during this time of national and public health emergency.
The HIPAA waiver document starts by reminding covered entities and their business associates that, in general, the HIPAA rules are not suspended during this time of a national and public health emergency. In particular, addressing a topic of much discussion among providers, the guidance includes a reminder that the HIPAA security safeguards rules (mandating reasonable administrative, technical and physical safeguards) apply to uses and disclosures of electronic protected health information as always. This statement is a reminder to health care providers of their obligations to use appropriate safeguards when using or disclosing protected health information (but, see Part 2 of this blog post, below, which describes a new waiver allowing providers to use everyday communications technologies for patient care.)
The HIPAA waiver will only apply to hospitals:
(1) in the emergency area identified in the public health emergency declaration (the declaration applies nationwide, see the declaration here);
(2) that have instituted a disaster protocol; and
(3) for up to 72 hours from the time the hospital implements its disaster protocol.
After the 72 hours elapses, the hospital is required to return to full HIPAA compliance, even for patients who are still under care at the time. Also, if the national emergency or the public health emergency is terminated, the hospital is required to return to full HIPAA compliance, even if the 72 hours has not elapsed.
The waivers permit U.S. hospitals that have instituted their disaster protocol to have the following HIPAA requirements waived during the initial 72 hours of the disaster protocol:
• the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient’s right to request confidential communications. See 45 CFR 164.522(b).
Waivers for All Health Care Providers to Allow the use of Everyday Communications Technologies for Patient Care
Second, the HHS Office for Civil Rights (OCR) announced that it will “exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency”. See the announcement from OCR here. A few days later, OCR issued FAQs regarding telehealth and OCRs waiver of penalties for the use of everyday communications technologies, available here.
This second announcement is particularly refreshing for health care providers who have been anxiously seeking easier methods, such as the use of personal devices and specific technologies, to interact via audio and/or video technologies with their patients and colleagues.
Specifically, OCR states: “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients….This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
OCR provides the following examples of technology that will be allowed:
“…a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.”
“…popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype…”
The OCR makes clear that this technology is also allowed to assess or treat any other medical condition, even if not related to COVID-19. Further, the OCR also states in the notice that it will not impose penalties against health care providers that do not have a business associate agreement in place with such technology vendors.
The OCR provides the following examples of technology that will not be allowed because they are public facing:
- Facebook Live
- similar video communication applications are public facing
Finally, the OCR acknowledges that some health care providers may still wish to use technology vendors that are “HIPAA compliant” and with whom the health care provider has entered into a business associate agreement related to the vendor’s video communications products. The OCR provides a list of some technology vendors that represent that they provide HIPAA-compliant video communication products and will enter into a business associate agreement (although the OCR states that it does not endorse any particular technology and it has not reviewed the business associate agreements of these vendors):
- Skype for Business
- Zoom for Healthcare
- Google G Suite Hangouts Meet
However, a few words of caution:
- The OCR encourages providers to notify their patients that these third-party applications potentially introduce privacy risks.
- Providers should also take as many security precautions as possible to protect patient information such as enabling “all available encryption and privacy modes when using such applications,” and having these conversations in private spaces to avoid others who are not involved in the patient’s care overhearing the communication.
- Further, even if a provider is using “everyday communications technologies”, providers should take care to record the interactions in the patient’s medical record to ensure that patients’ records are complete and accurate.
We are continuing to monitor this ever evolving area of the law and will continue to post updates. Please call the authors of this post or your regular Dorsey attorney if you have any questions.