In the midst of the COVID-19, what's happening with the US's main federal law on medical privacy, HIPAA?
In Congress, the proposed CARES Act included some modest adjustments of HIPAA's coverage, at least according to the draft text available this past weekend.
The changes mostly extended privacy protections for people receiving treatment for drug use issues—not unimportant, but not a groundbreaking change, either. And who can predict what will end up the final bill?
No, the real action is happening over the Department of Health and Human Services, and more specifically in the Office of Civil Rights.
Starting in February, HHS and OCR have put out a number of guidance documents, granted limited enforcement waivers, and announced how they would exercise their enforcement discretion when it comes to patent privacy in the midst of COVID.
OCR bulletin on HIPAA privacy and coronavirus
In February, the OCR produced a bulletin reminding health industry participants about the existing legal avenues to share medical information to facilitate the fight against the COVID-19 threat.
The guidance emphasized the ability to share information to public health authorities and to others where necessary prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
The guidance also reminded readers that HIPAA generally only governs the activities of "covered entities"—healthcare providers, health insurers, and certain other healthcare participants—and that it does not typically apply to employers.
Read the original bulletin here.
HHS limited waiver of HIPAA sanctions
In mid-March, HHS announced that it would waive certain sanctions and penalties against hospitals that implemented a disaster protocol.
A hospital that is within an emergency zone identified by the President’s emergency declaration and that implements a disaster protocol will have a 72-hour grace period in which they will not be subject to sanctions or penalties for certain violations.
Those violations include failing to obtain certain consents from patients, failing to provide certain notices to patients, and failing to honor particular patient requests for confidentiality (e.g. opting out of a hospital directory or making special privacy requests).
Read the announcement here.
HHS notification and guidance regarding telehealth services
Also in mid-March, HHS announced that it will exercise its discretion not to enforce HIPAA against medical providers who, due to the emergency and in good faith, adopt telehealth practices such as meeting with patients over video chat platforms.
Normally, use of such technologies may be subject to various restrictions under HIPAA’s Privacy, Security, and Breach Notification Rules.
HHS identified a number of major platforms that healthcare providers could use and identified certain platforms that have further represented they are already compliant with the HIPAA Security Rule.
It also identified certain chat platforms that, because they are public facing, should not be used (e.g. TikTok or public chat rooms). The notification and guidance apply whether a healthcare provider is treating patients for suspected COVID-19 infections or for anything else.
The notification can be found here; the guidance is here.
OCR guidance for first responders
On March 24, the OCR provided guidance on how information about COVID-19 patients may be disclosed to and within the first-responder community.
For example, the guidance reminds healthcare providers that they may share patient medical information to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
As an example, the guidance advises that a healthcare provider may provide a list of known COVID-19 cases to an EMS dispatcher so that they can inform EMS personnel when they may be encountering a COVID patient.
The guidance is available here.