Fox Rothschild LLP partner Beth Larkin listened to the HHS Office for Civil Rights 4/24/20 webinar (which should be posted on its website at some point) regarding HIPAA and COVID-19 and took notes. Here’s my summary of key points, based on Beth’s notes:

Overview: OCR stresses that the HIPAA Rules are supposed to be balanced and flexible.  The HIPAA Rules do not prohibit sharing PHI, they just require covered entities and business associates to take appropriate steps to safeguard PHI in accordance with the HIPAA Rules.

OCR has issued HIPAA non-enforcement notices related to some of the topics covered in the webinar (on telehealth, community-based testing sites (CBTS) and business associate disclosure of PHI for public health purposes) and guidance (such as FAQs) related to other topics covered (on first responders and disclosures to family and friends involved in care and for notification purposes).   The non-enforcement notices apply to all HIPAA Rules, not just the Privacy Rule.  OCR’s HIPAA non-enforcement is based on a covered entity’s and business associate’s good faith efforts to comply with the non-enforcement notice. . OCR non-enforcement notices will not apply once the public health emergency is over, but OCR can still use its enforcement discretion. OCR tends to try to resolve complaints and investigations with technical assistance. Penalties are generally issued with respect to systemic non-compliance and egregious violations.

OCR will continue to issue COVID-19 guidance as needed. OCR puts all of its COVID-19 HIPAA information, including the non-enforcement notices and guidance discussed here (collectively “OCR guidance” for purposes of this blog), in a new HIPAA and COVID-19 section on its website.  Questions can be submitted to ocrmail@hhs.gov or by calling OCR number of 1-800-368-1019.  OCR reads through all of the emails/questions received and issues guidance based on emails/questions.

Remember that state laws may be more stringent and will also apply for HIPAA Covered Entity providers (“CE providers”) and Business Associates.

Key Points:

  • Public Health Requests and Minimum Necessary: If CDC or another public health authority makes a request for COVID-19 information from a CE provider for public health reasons, the CE provider can rely on the fact that the request meets the “minimum necessary” requirement, and can continue to provide the PHI over a period of time in response to the initial request (e.g., reporting may be required weekly- a new agency request not needed each time)
  • Public Health Activities and Business Associates: OCR will exercise enforcement discretion so that a business associate may use or disclose PHI for public health activities or health oversight activities, even if its business associate agreement does not expressly permit that use or disclosure
  • Media Disclosures: OCR stressed that disclosures to the media still generally require patient authorization.  CE providers still need to be careful and take appropriate precautions against media disclosures (e.g., be careful when news crews are filming COVID-19 stories).  OCR watches and reads the news too.
  • Telehealth:  OCR’s non-enforcement applies to all media that OCR considers “telehealth,” including online video, telephone, texts and emails.  It also applies to all health care rendered via telehealth, not just COVID-19 care.  A CE provider must use non-public facing methods of communication, enable privacy and security protections, and notify patients that there is a privacy/security risk.  While no business associate agreement (BAA) with the communications service provider is required, a number of service providers have stated that they operate in compliance with HIPAA and will provide BAAs.  CE providers should take reasonable precautions for patient privacy (e.g., close office door, lower voice).  While the OCR guidance does not apply to Part 2 Rules, OCR noted that SAMSHA has issued some guidance on telehealth under Part 2 Rules.
  • First Responders:  OCR’s guidance addresses exceptions that already apply, such that patient authorization is not required (e.g., disclosures for treatment, public health purposes, where required by law, and where there’s a serious imminent threat to the health and safety of a person or the public, ).   OCR allows CE providers like hospitals to release lists of COVID-19 positive individuals to EMS dispatch for purposes of notifying first responders on a case-by-case basis if there is a risk of infection (EMS can tell first responders being dispatched to a patient that the patient is COVID-19 positive but can’t post the list or distribute the list to first responders).  EMS can also ask 911 callers about COVID-19 symptoms and notify first responders. (EMS may not be a CE provider.)
  • COVID-19 Community-Based Testing Sites:   OCR’s non-enforcement only applies to the CBTS, not other services or activities of the CE providers or its business associates (including storage of testing results in an electronic records system). OCR recognizes that it’s hard to comply with HIPAA Rules when testing is being done in a parking lot or on a drive-thru basis. Reasonable safeguards (e.g., buffer zones, tarps or barriers used to add privacy, and secure technology) are still encouraged for CBTS.