HHS Releases Critical Guidance on the Application and Enforcement of HIPAA During the COVID-19 Pandemic

The U.S. Department of Health and Human Services (HHS) has issued a number of critical notices in connection with the application of the Health Insurance Portability and Accountability Act (HIPAA) and the use, disclosure and protection of protected health information (PHI) to issues that have arisen in connection with the COVID-19 pandemic. In all instances, HHS has reiterated that the requirements of the HIPAA Privacy, Security and Breach Notification Rules remain in force; however, in certain circumstances, HHS has exercised its discretion to waive sanctions and penalties or refrain from initiating enforcement actions for an entity’s failure to comply with such requirements. HHS has also released practical guidance to highlight the application of certain HIPAA requirements to real-life scenarios that have become common in the midst of the COVID-19 pandemic.

I. Waiver of Sanctions and Penalties – Violations of HIPAA Privacy Rule Following Implementation of Hospital Disaster Protocol

 On March 13, 2020, following President Donald J. Trump’s Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak, the HHS Secretary issued a Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (SSA).  The purpose of the waiver is to make health care more accessible to Medicare, Medicaid, and Children’s Health Insurance Program (CHIP) patients.  The waiver became effective on March 15, 2020, but has retroactive effect to March 1, 2020.  While it covers several different SSA requirements, in particular, the waiver touches upon certain HIPAA privacy requirements under section 1135(b)(7).

In particular, HHS will waive sanctions and penalties for violations of certain provisions of the HIPAA Privacy Rule that occur within 72 hours of a hospital initiating its hospital disaster protocol. The waiver applies to the requirement to obtain a patient’s agreement to speak with family members or friends involved in a patient’s care; the requirement to honor a patient’s request to opt out of a facility’s directory; the requirement to distribute the notice of practice practices; and the patient’s right to request privacy restrictions and confidential communications. For more information, read our full briefing here.

II. OCR Bulletin Regarding the Sharing of PHI In Emergency Situations

On March 16, 2020, HHS – Office of Civil Rights (“OCR”) issued the COVID-19 and HIPAA Bulletin. In addition to summarizing the Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (SSA), OCR outlined the provisions of the Privacy Rule that may be applicable to disclosures of PHI in emergency situations, such as the COVID-19 pandemic. This bulletin includes overviews of disclosures for purposes related to treatment and public health activities, disclosures for notification purposes, disclosures to family, friends and others involved in an individual’s care, disclosures to prevent or lessen a serious and imminent threat, and disclosures to the media or others not involved in the individual’s care. OCR also reinforced need to protect PHI and minimize the disclosure of PHI to the amount necessary to accomplish the intended purpose. For more information, read our full briefing here.

III. OCR Notification of Enforcement Discretion – Violations of HIPAA Privacy, Security and Breach Notification Rules In Connection With Use of Applications for Telehealth Purposes

Consistent with its response to the public health emergency, OCR published a notification on March 17, 2020 and clarifying guidance on March 20, 2020, that it will be exercising its discretion and refraining from imposing penalties on covered health care providers for noncompliance with HIPAA’s Privacy, Security or Breach Notification Rule requirements in connection with the good faith provision of health care that, in the provider’s professional judgment, can be delivered via telehealth, regardless of whether or not the telehealth services relate to the treatment of COVID-19. OCR will issue a notice when it will no longer refrain from initiating enforcement with respect to these telehealth services. For more information, read our full briefing here.

IV. HHS Notice Recommending Vigilance Due to COVID-19 Cyber Scams

On March 18, 2020, HHS shared Defending Against COVID-19 Cyber Scams, a bulletin from the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security.

Specifically, CISA warns individuals to be wary of emails with potentially malicious attachments or links to fraudulent websites.  These links or websites may aim to trick individuals into revealing sensitive information or donating to fraudulent charities.  Among other advice, CISA encourages individuals to use trusted sources, such as legitimate government websites, when looking for accurate and up-to-date information on COVID-19, refrain from revealing personal or financial information in an email, and avoid charity scams by verifying a charity’s authenticity before making donations.  

V. OCR Guidance Related to the Disclosure of PHI to Law Enforcement, Paramedics, First Responders and Public Health Authorities

On March 24, 2020, OCR released a set of Frequently Asked Questions to clarify when covered entities are permitted under HIPAA to release patient PHI to law enforcement, paramedics, first responders and public health authorities.  OCR confirmed that covered entities may, in particular circumstances, disclose PHI about an individual who has been infected or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities so that first responders can take extra precautions or use personal protective equipment.  Such disclosures may take place in certain situations, including when the disclosure is needed for treatment, when the disclosure is required by law, when notifying a public health authority, when a first responder may be at risk of infection, when the disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, or when responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual. For more information, read our full briefing here. 

If you have additional questions or need further assistance, please feel free to reach out to Alessandra Swanson or your Winston relationship attorney.

View all of our COVID-19 perspectives here. Contact a member of our COVID-19 Legal Task Force here.