The Department of Health and Human Services’ Office for Civil Rights (OCR) has issued a warning that it has received reports that someone has been impersonating an OCR inspector in an effort to access HIPAA Protected Health Information (PHI).

According to the agency: “The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation. HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in, and asking for a confirming email from the OCR investigator’s email address.  If organizations have additional questions or concerns, please send an email to:”

HIPAA Covered Entity and Business Associate clients interested in receiving security and privacy updates directly from OCR can sign up here.

On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published Guidance and a list of FAQs related to the provision of telehealth and HIPAA compliance.

“OCR will exercise enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.”

Here are several “Dos” and “Don’ts” for covered health care providers from the Guidance and FAQs:


1.  Exercising professional judgment, use a video chat application that connects to the provider’s or patient’s phone or desktop computer to assess or treat a patient in connection with potential COVID-19 infection.

2.  Exercising professional judgment, use the video chat application to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle or other ailment and for dental consultations, psychological evaluations and other assessments.

3.  Use  popular applications that allow for video chats, including Apple’s FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

4.  If seeking additional privacy protection for telehealth while using video communication products, engage vendors that will enter into HIPAA business associate agreements (BAAs) in connection with the provision of the product, including the following vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet


1.   Use public-facing video communication applications, such as  Facebook Live, Twitch, TikTok, and similar video communication applications.

2.  Rely on the OCR’s discretion regarding HIPAA enforcement if you are a substance use disorder program subject to Part 2 (see here for Guidance related to Part 2).

3.  Expect HIPAA enforcement discretion if you are a covered entity health plan (see FAQ #2).

4.  Expect Medicare or Medicaid reimbursement for all telehealth services (see FAQ #1 and CMS Guidance).

5.  Expect HIPAA enforcement discretion for activities unrelated to telehealth. The Security Rule, Privacy Rule, and Breach Notification Rule continue to apply in all other contexts.

By Margaret J. Davino, Salvatore J. Russo and Nawa A. Lodin

In the Medicare Telemedicine Healthcare Provider Fact Sheet published March 17, 2020, the Centers for Medicare & Medicaid Services (CMS) broadened access to Medicare telehealth services to allow Medicare patients to receive more services from their doctors without travel to a health care facility. This benefit is available on a temporary and emergency basis under the 1135 waiver authority and Coronavirus Preparedness and Response Supplemental Appropriations Act, to provide telemedicine services during the national emergency declared regarding COVID-19.

Before this new waiver, Medicare only paid for telehealth when the patient was in a designated rural area and left the home and went to a clinic, hospital or certain other types of medical facilities for the service.  Now, Medicare can pay for office, hospital and other visits furnished via telehealth across the country including in patient’s places of residence, retroactive to March 6, 2020. A range of providers, such as doctors, nurse practitioners, clinical psychologists and licensed clinical social workers, will be able to offer telehealth to their patients. Additionally, the HHS Office of Inspector General (OIG) is providing flexibility for health care providers to reduce or waive cost-sharing for telehealth visits paid by federal health care programs.

Also, effective immediately, the HHS Office for Civil Rights (OCR) will exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.  See Emergency Situations: Preparedness, Planning, and Response, from HHS.

 Medicare Telehealth Visits 

Starting March 6, 2020 and for the duration of the COVID-19 public health emergency, Medicare will pay for professional services to beneficiaries in all areas of the country in all settings (instead of the limited originating sites listed before March 6). For this Medicare telehealth visit, the provider must use an interactive audio and video telecommunications system that permits real-time communication between the distant site and the patient at home. Although Medicare normally requires that the patient have a prior established relationship with a particular practitioner, HHS will not conduct audits to ensure that such a prior relationship existed for claims submitted during this public health emergency. These visits are considered the same as in-person visits and are paid at the same rate as regular in-person visits.

The Medicare coinsurance and deductible would generally apply to these services. However, the HHS Office of Inspector General (OIG) is providing flexibility for health care providers to reduce or waive cost-sharing for telehealth visits paid by federal health care programs.

Other Medicare Telehealth Visits

The CMS Fact Sheet reminds providers that there are two previously existing types of telehealth services:  virtual check-ins and e-visits.

Virtual check-ins: In 2019, Medicare started paying in all areas (not just rural), for established Medicare patients in their homes to have a brief communication service (virtual check-in) with practitioners via a number of communication technology modalities including synchronous discussion over a telephone or through video or image (unlike Medicare telehealth visits, which require audio and visual capabilities for real-time communication). The practitioner may respond to the patient’s concern by telephone, audio/video, secure text messaging, email or use of a patient portal. The communication may not be related to a medical visit within the previous seven days and cannot lead to a medical visit within the next 24 hours (or soonest appointment available). The patient must verbally consent to receive virtual check-in services. The Medicare coinsurance and deductible applies to these services. In addition, separate from these virtual check-in services, captured video or images can be sent to a physician (HCPCS code G2010).

 E-visits:  In all types of locations including the patient’s home, and in all areas (not just rural), established Medicare patients may have non-face-to-face patient-initiated communications with their doctors without going to the doctor’s office by using online patient portals. The patient must generate the initial inquiry and communications can occur over a seven-day period. The services may be billed using CPT codes 99421-99423 and HCPCS codes G2061-G2063, as applicable. The patient must verbally consent to receive virtual check-in services. The Medicare coinsurance and deductible would apply to these services.

State Law

This CMS Fact Sheet involves only federal law, and does not change state laws, e.g., state licensing laws that require that a physician be licensed in the state in which the patient resides, or state Medicaid requirements.  The New York State Department of Financial Services just published this notice yesterday relaxing reimbursement provisions for telehealth services:  Please note also the NJ Telemedicine Act, N.J.S.A. 45:1-62 et al, which requires the physician to provide the patient with certain information, including his or her professional credentials, before engaging in telemedicine (requiring a proper consent form) and requires the physician to establish a provider-patient relationship before prescribing medication to the patient based solely on answers to an online questionnaire, along with how to establish that relationship.

Effective March 15, 2020, certain hospitals that fail to comply with specific HIPAA Privacy Rule requirements will not be subject to HIPAA sanctions and penalties, according to a “COVID-19 & HIPAA Bulletin” issued by U.S. Health and Human Services Secretary Alex M. Azar. The waiver was implemented as a response to President Trump’s recent declaration of a nationwide emergency concerning COVID-19 and Secretary Azar’s declaration of a public health emergency on January 31, 2020.

Note that this HIPAA waiver is limited. It only applies to (1) hospitals located in an emergency area identified in a public health emergency declaration; (2) hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the hospital institutes its disaster protocol . When President Trump’s or Secretary Azar’s emergency declaration ends, the HIPAA waiver will end.

In addition, the HIPAA waiver only applies to the following specific HIPAA Privacy Rule requirements:

  • obtaining the patient’s consent to speak with family and friends involved in patient care as per 45 C.F.R. 164.510(b)
  • honoring the patient’s request to opt out of being included in the facility directory as per 45 C.F.R. 164.510(a)
  • distributing the Notice of Privacy Practices to patients as per 45 C.F.R. 164.520
  • giving individuals the right to request restrictions on the use or disclosure of their protected health information as per 45 C.F.R. 164.522(a)
  • honoring the individual’s right to restrict disclosure of protected health information to a health plan as per 45 C.F.R. 164522(b)

The Bulletin reiterates many of the points addressed in HHS’s February 3, 2020 Bulletin on HIPAA and COVID-19, discussed here in a prior post. The bottom line?  HIPAA remains in place during emergencies, except for a limited set of covered entities and with respect to limited provisions of the HIPAA Privacy Rule as described above.




If your company is a covered entity or a business associate, you face unique challenges when workforce members ask or are required to work from home. Hopefully, your company’s HIPAA Security Policies and Procedures address the use of portable devices, whether they are owned by the employer or by the employee, and your HIPAA security risk assessment should take into account any location in which electronic protected health information (PHI) might be created, received, maintained or transmitted.  Still, it’s important to remind employees of their obligations with respect to HIPAA compliance and to make sure PHI is protected when used or disclosed outside of the office, particularly when Coronavirus concerns result in changes to the way in which information is typically accessed or communicated.

Here are a few HIPAA privacy and security basics to keep in mind if employees will be handling PHI while working from home.

A is for Access: Check that home devices have access controls, such as automatic logoff.  Implement technical policies and procedures that grant access rights to specified workforce members, and that limit access to only those systems and software programs that have been approved by the company.  See HHS FAQ on this topic here.

B is for Breach: Remind employees to avoid breach scenarios that are more likely to occur when working off-site, such as preventing family members or guests from viewing or overhearing PHI, not using public or unsecured networks to access or communicate PHI, and being aware of where copies of PHI are made and stored, whether paper or electronic. Implement a policy and procedure for employees to return paper and electronic files to the employer’s office or system and destroy copies that could end up in home trashcans or on personal devices.

C is for (secure) Connection: Check that employees have access to a secure network connection. The HIPAA Security Rule requires that you document establishment of all safeguards (technical, physical, and administrative) needed to protect information exchanged in a network. Check the HIPAA Security Rule on transmission security, and document how you have addressed integrity controls and encryption. See HHS FAQs on this topic here and here.

The FAQs included in my prior post address  employer response with an eye to HIPAA compliance.  What else can an employer do or not do with employee information related to COVID-19 status?   Even covered entities and business associates concerned with HIPAA must be alert to other laws that affect their communications and action plans.   Employers should check with labor counsel for laws and requirements that may apply.  Employers should also be aware that state-specific privacy and data security laws may apply to the collection, retention, use and disclosure of health information.

See here for a recent article on workplace considerations related to Coronavirus published by Fox Rothschild LLP colleagues who practice in our Labor and Employment practice.

Fox Rothschild partner Bill Maruca’s article, “Protecting Privacy During an Infectious Disease Panic”, is (unfortunately) as relevant today as it was when it was posted here more than 5 years ago. Swap Ebola for COVID-19, and the article provides useful guidance for covered entities and business associates subject to HIPAA and to employers, family and friends who are not.

More recently, the U.S. Department of Health and Human Services published a Bulletin that emphasizes the important and HIPAA-permitted circumstances under which COVID-19 patients’ information may be disclosed.

Key take-aways from the Bill’s article and from the HHS Bulletin include: (1) only covered entities and business associates (and their subcontractors) are subject to HIPAA, and (2) HIPAA allows disclosures under certain circumstances, such as where disclosures are necessary to prevent a serious and imminent threat and are consistent with applicable law and covered entities’ standards or codes of conduct.

The following FAQs illustrate these take-aways (note that these focus on HIPAA only and not on other potentially applicable laws, such as employment-related laws and state privacy laws):

Q.1.     I work in HR at my company. An employee came to me this morning and told me that his adult son, who resides with the employee, tested positive for Coronavirus this past weekend. Will I violate HIPAA if I tell my supervisor with or without consent of the adult son or the employee? Can my supervisor alert other employees in the office?

A.1.     You will not violate HIPAA by telling your supervisor, and your supervisor will not violate HIPAA by alerting other employees. Neither you nor your supervisor is a covered entity, business associate, or subcontractor (but see next FAQ) and so HIPAA does not apply.

Q.2.     I work in HR at my company and am responsible for overseeing our self-funded group health plan. Same facts and questions as above.

A.2.    Because you have HIPAA obligations due to your role with respect to the company’s group health plan (which is a covered entity under HIPAA), you need to be cautious with respect to this information.  We recommend you consult your HIPAA Privacy Officer or HIPAA counsel regarding the disclosure by the employee to you and the circumstances of the disclosure to determine whether HIPAA applies and if it does, whether HIPAA would allow you to inform your supervisor.     

Q.3.     I work in HR at my company and am responsible for overseeing our self-funded group health plan. I reviewed a claim for services rendered by a hospital to an employee who has been out of work due to illness for the past several weeks. The claim included diagnosis codes that suggest the employee was treated for COVID-19. Can I tell my supervisor? Can my supervisor alert other employees?

A.3.     HIPAA applies to your communications regarding protected health information (PHI), so you must proceed with caution. HIPAA permits the disclosure of PHI if it is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public, and it is consistent with other applicable law. However, it does not appear that you have sufficient information to rely upon this “serious and imminent threat” exception as the basis for disclosure. You do not know that the patient had tested positive for Coronavirus or was treated for COVID-19, nor have you demonstrated how notification would prevent a serious and imminent threat (the employee has not been in the office for several weeks). This situation clearly calls for further consultation with knowledgeable medical and/or legal professionals.

Fellow Fox Rothschild LLP Partner (and former hospital system General Counsel) Salvatore J.  Russo generously contributed this post.

Some twenty-three years ago, the first well-publicized incident of the re-identification of de-identified personal health data was brought to the attention of the American public. It involved the then governor of Massachusetts, William Weld.   Dr. Latanya Sweeney a graduate student from MIT successfully combined de-identified data with the publicly available Cambridge voter registration list, and successfully translated de-identifiable data into identifiable data using privacy technology, and identified the Governor’s health records, including diagnosis and prescriptions.

In 2008, after Netflix publicly released movie rating records, two researchers from the University of Texas, Arvind Narayanan and Vitaly Shmatikov, matched the released data with the Internet Movie Database and successfully re-identified the users. In 2018, using publicly available Amazon review data, a group from MIT re-identified persons from the Netflix dataset.

Finally, it was reported in the December 2018 issue of the Journal of the American Medical Association that researchers from the United States and China collaborated on a project to re-identify individuals from a national de-identified physical activity data set.  Using an algorithm employed in machine learning to pair daily patterns in physical activity data with corresponding demographic data, they were fairly successful in de-anonymizing the information.

HIPAA seeks, among other things, to protect the privacy of health information by de-identification. The HIPAA gold standard for de-identification for protected health information is achieved by one of two means.   De-identification can result from the stripping of the 18 types of identifiers from protected health information.   Alternatively, it can be accomplished by expert determination that there is a very small risk of identification. This approach must be reconsidered. Moreover, HIPAA only governs “covered entities,” and not the vast array of business enterprises that possess private health information.

It is the development of big data and advances in artificial intelligence that are truly the game changers in discussion of de-identification and privacy.  These two forces create a major concern for safeguarding private health information where sophisticated companies with large repositories of big data combine with health care systems with the goal of improving medical care.

The dilemma that the regulators must confront going forward, particularly in the context of personal health data, is how to strike a balance between providing adequate privacy protections without imposing unnecessary barriers to the medical advancements that result from the workings of AI and big data?

Society must engage in a policy cost-benefit-risk type analysis to inform our conversation.  Risk tolerance is the pivotal judgment that needs to be undertaken to assess what cost does society wish to pay to protect privacy.

In view of the rapid advances in AI, and the continuing amassing of personal health data, absolute personal health privacy protection may be elusive while we seek the medical benefits obtained from the intersection of AI with big data.  Maybe certainty and absolute guarantees should not be the goal.  However, we must strive for a standard that we can live with that reasonably protects our personal health information from unconsented disclosure.




If you are a covered entity who experienced a breach of unsecured protected health information affecting fewer than 500 individuals , you must notify the Office of Human Rights of the Department of Health and Human Services of the breach within 60 days of the end of the calendar year in which the breach was discovered.  For breaches that occurred in calendar year 2019, that deadline is February 29, 2020.

To report a breach, go to the Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information, which is at   That link will take you to a step-by-step process which walks you through how to submit the required disclosures.  Since you cannot move past a screen on this site without entering data, you may want to download and print this OCR document which lists all the information you will need for your report:

Note that you must submit the notice electronically via the OCR portal.

Also note that a covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals.  A covered entity may report such breaches at the time they are discovered.

You may report all of your breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident.

If you are a business associate who is required to report breaches on behalf of a covered entity under the terms of the applicable business associate agreement, you may also use this portal.



The answer to this question has changed yet again. I’ve blogged on this topic several times in the past (see here, here and here), and described the question as a wriggling worm. Plaintiff Ciox Health, LLC has finally managed to catch that worm and share its bounty among those looking to charge third-party requestors more than the limited “reasonable, cost-based fee” that may be charged to individuals.

On January 23, 2020, a federal court found in favor of plaintiff Ciox, a specialized medical records processing vendor, on its challenge to 2016 Guidance issued by the U.S. Department of Health and Human Services. The 2016 Guidance provided, among other things, that when either an individual request copies of his or her medical records or a third party requests copies on behalf of the individual, the amount that can be charged is limited to a “reasonable, cost-based” fee. According to Ciox’s President of Life Sciences (and as noted in the court’s decision), the effect of the 2016 Guidance was to cause law firms and other third parties to use the individual access request, with its “reasonable, cost-based fee” limitation, as the means to request patient records, rather than having individuals sign HIPAA authorizations which implicate only state law fee caps (if any). The frequency of records requests made by third parties on behalf of individuals (“third-party directives”) increased by nearly 700 percent following the issuance of the 2016 Guidance.

HHS published an “Important Notice Regarding Individuals’ Right of Access to Health Records” on January 28, 2020, noting the Ciox decision and the fact that the “reasonable, cost-based fee” limitation no longer applies to third party directives. In addition, the records are not required to be produced in electronic format in response to a third-party directive.

What does this mean for covered entities and business associates trying to figure out how to respond to a HIPAA authorization, an individual access request, or a third-party directive?

Consider who is making the records request and where the records are to be sent. If the individual who is the subject of the records wants copies transmitted electronically to the individual, treat the request as an access request. If a third party seeks the records, it is likely sufficient to provide the third party with HIPAA authorization form and treat the request as a third-party directive. However, if the individual initiates the request and wants the records sent to a third party, it may be prudent to treat the request as an access request, limiting fees and endeavoring to comply with requests to transmit records in electronic format.  Don’t dangle the Ciox worm in front of individuals seeking their own medical records.