Health Information Compliance Alert

HIPAA:

Know the Numerous COVID-19 Impacts to HIPAA

New flexibilities and notifications of enforcement discretion abound.

There’s no denying that COVID-19 has changed the rules of healthcare over the last two months. And with the ramp up of digital care options to circumvent necessary social distancing measures, as well as coronavirus testing, HIPAA standards have been reeled in to allow for infrastructure changes and the new normal throughout the industry.

Background: Back on Jan. 31, Department of Health and Human Services (HHS) Secretary Alex Azar declared a public health emergency (PHE), which was followed on March 11 by World Health Organization (WHO) Director-General Tedros Adhanom Ghebreyesus pronouncing COVID-19 a pandemic. Then, President Trump declared a national emergency on March 13. A combination of updated rules and regulations, acts, and declarations have ensued, including a plethora of 1135 blanket waivers, Medicare policy flexibilities, and relaxed HIPAA compliance.

Feds Expand Telehealth Services

On March 17, the Centers for Medicare & Medicaid Services (CMS) announced an expansion of telehealth benefits for specific providers and their patients. The changes allow clinicians to provide telehealth visits to patients anywhere, not just in rural areas, and in their homes rather than at a healthcare facility (see story p. 27).

“Patients will now be able to access their doctors using a wider range of communication tools including telephones that have audio and video capabilities, making it easier for beneficiaries and doctors to connect,” CMS says in its telehealth expansion release.

FaceTime, Skype Are OK for F2F Encounters Now

Hand-in-hand with the telehealth expansion came an HHS Office for Civil Rights (OCR) notification of HIPAA enforcement discretion. The agency will “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” OCR said.

See the March 17 notification at www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

The feds further clarified that non-public-facing technologies like FaceTime and Skype can be used for telehealth visits, but public-facing technologies like TikTok and Facebook Live can’t.

“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities,” Severino added.

Next: On March 20, OCR followed up its first notification of enforcement discretion with FAQs on the intersection of HIPAA and telehealth. The guidelines include telehealth definitions, which covered entities (CEs) are impacted, a breakdown of the Rules the notification affects, and more.

Review the FAQs at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.

Reminder: The telehealth visit doesn’t have to be for COVID-19 reasons to qualify for the expansion and exemptions. “OCR emphasized the need to ensure remote access to care for patients, especially those most at risk, regardless of whether or not the service is related to COVID-19,” note attorneys Rebecca Schaeffer and Cheryl Choice with law firm K&L Gates in online analysis. “Increasing access to telehealth will reduce the need for healthy or nonsymptomatic individuals to travel to facilities for health care, which in turn will help interpersonal interactions and further reduce transmission.”

See 4 More COVID-19-Inspired HIPAA Updates

The daily output of changes, rollbacks, and revisions across all local, state, and federal sites has been overwhelming, and challenging for many to keep up with. Since its initial telehealth enforcement changes, OCR has released four more HIPAA briefs that impact a variety of organizations and entities. Read on for the details.

First responders: On March 24, OCR released HIPAA privacy guidance on how CEs should disclose the protected health information (PHI) of patients with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities, a release suggests.

Following the HIPAA Privacy Rule is still vitally important, and CEs should remember that every effort must be made to protect patients while helping to stem the spread of the virus by sharing data with first responders, OCR reminds.

Read the guidance at www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.

Civil rights: “On March 28, OCR issued a bulletin focused on Section 1557 of the Affordable Care Act and Section 504 of the Rehabilitation Act, which prohibits discrimination on the basis of disability in HHS-funded health care programs,” explain attorneys Chris Bennington and Allen Killworth with Bricker & Eckler LLP in online analysis. “The bulletin noted that these and other civil rights laws remain in effect during the pandemic, and providers must make decisions regarding whether a person is a candidate for treatment based on an individualized assessment of the best available objective medical evidence.”

Find the bulletin at www.hhs.gov/sites/default/files/ocr-bulletin-3-28-20.pdf.

Business associates: On April 2, OCR announced in its second COVID-19-inspired notification of enforcement discretion that it will not impose penalties on CEs or their business associates (BAs) for “certain provisions of the HIPAA Privacy Rule” when patients’ PHI is used or disclosed for PHE-related matters “in good faith.” This particularly concerns CE and BA interactions with CMS, the Centers for Disease Control and Prevention (CDC), or state and local health agencies.

“Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives,” Severino stressed in a release.

Peruse the April 2 notification at www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf.

COVID-19 testing: Certain CEs, BAs, and large pharmacy chains will not have penalties imposed for noncompliance with specific provisions of the HIPAA Rules when participating in the feds’ COVID-19 community-based testing program, indicates an April 9 OCR release on a third notification of enforcement discretion. This specifically impacts providers, BAs, and pharmacies operating and testing patients at COVID-19 Community-Based Testing Sites (CBTS) across the nation.

“This exercise of enforcement discretion is effective immediately, but has a retroactive effect to March 13, 2020,” OCR says.

View the April 9 notification at www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf