Apr 6, 2020

OCR Relaxes HIPAA Standards in Light of COVID-19

By Deborah A. Cmielewski, Esq.

In response to the COVID-19 national emergency, the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (“OCR”) has relaxed certain regulatory standards in an effort to facilitate the delivery of crucial health care services and the exchange of critical information. Exercising its enforcement discretion, OCR will not impose potential penalties in limited circumstances relating to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) during the national emergency. 

Relaxation of Standards Relative to Telehealth

OCR has announced that it will not impose penalties against covered health care providers for noncompliance with HIPAA in connection with the good faith provision of telehealth during the national emergency. Such providers may use audio or video communications to communicate with their patients and to provide telehealth services for any reason. This includes, but is not limited to, communications relating to the diagnosis and treatment of COVID-19. Recognizing that some technologies may not be fully HIPAA-compliant, OCR will nonetheless suspend penalties during the period of the national emergency.

OCR has advised that providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, but has encouraged providers to notify patients of the potential risks and to enable all available privacy modes and encryption. Importantly, OCR has specifically excluded Facebook Live, Twitch, TikTok and similar video communication applications, noting that such applications are public-facing and should not be used to render telehealth services.

While not endorsing or recommending specific services providers, OCR has identified a number of vendors that represent that they offer HIPAA-compliant video communication products, including Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me and Google G Suite Hangouts Meet. OCR has noted that such vendors represent that they will enter into HIPAA business associate agreements (“BAAs”).  

Relaxation of Standards Relative to Business Associate Relationships

OCR will likewise forego imposing penalties against covered entities or business associates under certain limited conditions relating to the sharing of protected health information (“PHI”). Under existing regulations, business associates may use and disclose PHI in their possession only in accordance with their BAAs or as required by law. OCR has determined that business associates have been unable to supply critical information to federal public health authorities, federal health oversight agencies, state and local health departments and state emergency operation centers or to perform public data analytics on PHI in their possession to ensure public health and safety during the national emergency because their existing BAAs do not expressly permit such uses and disclosures. While the national emergency is in effect, business associates who make a good faith use or disclosure of PHI solely for public health or health oversight activities in accordance with HIPAA must inform the covered entity within ten (10) calendar days after it makes such use or disclosure, or for continuing disclosures, within ten (10) calendar days after it commences such use or disclosure.

Entities subject to HIPAA must remember that the national emergency is not an excuse to disregard good practice. While the enforcement discretion enables providers to deliver critical care during the national emergency, the emergency will eventually end. Covered entities and business associates alike must continue to apply appropriate physical, technical and administrative safeguards and otherwise comply with HIPAA in their handling of sensitive data. 

For more information, contact Deborah A. Cmielewski, Esq. at dac@spsk.com or 973-540-7327.

DISCLAIMER:  This Alert is designed to keep you aware of recent developments in the law.  It is not intended to be legal advice, which can only be given after the attorney understands the facts of a particular matter and the goals of the client.