On March 16 and 17, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced limited waivers of penalties and sanctions with respect to certain HIPAA requirements due to the ongoing COVID-19 outbreak. The waivers provide some relief to hospitals with respect to certain aspects of the Privacy Rule and to all health care providers seeking to provide telehealth services.
Privacy Rule Waiver
On March 16, OCR announced that HHS Secretary Alex M. Azar had exercised his authority to temporarily waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care
- the requirement to honor a request to opt out of the facility directory
- the requirement to distribute a notice of privacy practices
- the patient's right to request privacy restrictions
- the patient's right to request confidential communications.
This limited waiver became effective March 15, and applies:
- in the emergency area identified in the public health emergency declaration (here, the entire United States);
- to hospitals that have instituted a disaster protocol; and
- for up to 72 hours from the time the hospital implements its disaster protocol.
Notably, this waiver only applies to hospitals that meet these requirements, and does not apply to any other covered entities or their business associates.
Telemedicine Waiver
In addition, although not covered by the March 16 announcement, OCR announced on March 17 that it would also, effective immediately, exercise its enforcement discretion and not impose penalties against covered health care providers for non-compliance with the HIPAA Rules in connection with the good faith provision of telehealth services during the COVID-19 public health emergency. This waiver applies to telehealth provided for any reason, not just for diagnosis or treatment of health conditions related to COVID-19. Although the privacy waiver is limited to hospitals during the 72 hours after a disaster plan is implemented, this more expansive waiver is a "game changer" that presents meaningful opportunities to expand health care offerings and methodologies.
To facilitate the provision of telehealth services, OCR noted that health care providers "can use any non-public facing remote communication product that is available to communicate with patients" and that penalties will not be imposed for the lack of a business associate agreement with the vendor. OCR explained that it would be permissible in this context to use services like Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, but that public platforms like Facebook Live, Twitch, or TikTok may not be used. Despite the waiver, health care providers should still be diligent when implementing these services by, at a minimum:
- Carefully reviewing the vendor's terms of use and privacy policy;
- Enabling all available encryption and privacy controls;
- Notifying patients that these applications may present privacy risks;
- Obtaining a business associate agreement whenever possible;
- Developing policies and procedures to ensure the proper documentation, consents, and permissions are obtained during the encounter; and
- Creating a high-level plan for concluding the use of these applications when the waiver concludes.
If you have any questions regarding these HIPAA waivers and the ongoing COVID-19 emergency, please contact Alisa Chestler, Andrew Droke or a member of Baker Donelson's HIPAA Compliance Team. Also, please visit our Coronavirus (COVID-19): What You Need to Know information page on our website.