EXECUTIVE SUMMARY

The Department of Health and Human Services Office for Civil Rights will disregard some HIPAA violations during the pandemic response. Risk managers should understand which parts of the privacy rule are affected.

  • The signing requirement to speak to a patient’s family is waived.
  • Patients do not have to be offered confidential communications.
  • Telehealth service changes will raise potential HIPAA issues.

The HHS Office for Civil Rights (OCR) is waiving some HIPAA sanctions and penalties, but hospital risk managers should study the modifications to understand exactly what is and is not allowed.

OCR issued a statement saying it would not pursue sanctions and penalties for healthcare organizations that do not comply with these HIPAA Privacy Rules:

  • 45 CFR 164.510(b): Obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
  • 45 CFR 164.510(a): Honor a request to opt out of the facility directory;
  • 45 CFR 164.520: Distribute a notice of privacy practices;
  • 45 CFR 164.522(a): The patient’s right to request privacy restrictions;
  • 45 CFR 164.522(b): The patient’s right to request confidential communications.

The changes are intended to reduce the compliance burden on overworked hospital staff, says Matthew R. Fisher, JD, partner with Mirick O’Connell in Worcester, MA.

“It’s about not having to worry about getting some documents signed. They were already talking about eliminating the signing document anyway,” Fisher says. “They’re giving some wiggle room in terms of how to share information, trying to get people who might have secondary contact info in their hands, or just to allow concerned family members to know what’s going on.”

To qualify for the waiver, the covered entity must be in the emergency area identified in the public health emergency declaration, and the hospital must have instituted a disaster protocol. The waiver is valid for up to 72 hours from the time the hospital implements its disaster protocol.

OCR pointed out that when the public health emergency declaration terminates, a hospital must then comply with all the HIPAA requirements for any patient still under its care. That is true even if it has been 72 hours since the hospital implemented its disaster protocol, OCR explained. (The OCR statement is available online at: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.)

OCR may make further allowances regarding HIPAA compliance, Fisher says. “It’s been demonstrated that as the need arises, action will be taken,” he says. “The goal of all this action is to promote access to care and hopefully protect the health and well-being of as many people as possible. Healthcare leaders just need to stay abreast of the changes so you understand the limitations and opportunities that are presented to you.”

Telehealth Raises HIPAA Issues

HIPAA requirements can be difficult to meet when using telehealth services, which many hospitals are using more to deal with the surge of patients, says Kyle A. Vasquez, JD, shareholder with Polsinelli in Chicago. The easing of federal and state requirements for telehealth has some clinicians and organizations making greater use of the technology, but HIPAA should be considered, he says.

The good news is that OCR said they will allow the use of some telehealth technology that usually is not considered HIPAA-compliant. OCR indicated that providers can use “non-public-facing remote technologies” including Skype, Apple FaceTime, or Facebook Messenger video chat. “Public-facing” technology that can be accessed by more than the two individuals, like Facebook Live or TikTok, cannot be used.

“They’ve said they’re going to use their enforcement discretion to allow certain modalities that previously could not be used because they know that more people have access to them,” Vasquez says. “There still may be state privacy issues to consider because some states are still saying no, that they want a HIPAA-compliant methodology like Zoom for Healthcare. Privacy is an area to think through before you widely implement telehealth services during the pandemic.”

OCR will exercise enforcement discretion by not imposing penalties for noncompliance with HIPAA for the good faith provision of telehealth. The enforcement discretion will apply to any use of telehealth services during the pandemic period, not just related to COVID-19.

OCR does still prefer the use of HIPAA-compliant services, Fisher notes. The announcement stating that other technology will be acceptable includes a final statement that OCR would be happier if providers stick with the usual approved modalities, he says.

“They are acknowledging that the current situation requires some flexibility, and more people will have access if they allow the use of the commonly available technologies,” Fisher says. “But if you have a choice and if you want to maintain your HIPAA compliance efforts even in these difficult times, OCR would rather you stick with a fully compliant, secure service even now.”