The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information), but it is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.
The Novel Coronavirus (2019-nCoV) outbreak has provided such a purpose. This means HIPAA-covered entities and their business associates may be able to share patient information under the HIPAA Privacy Rule in order to deal with the outbreak of infectious disease or other emergency situation. However, the protections under the HIPAA Privacy Rule are not set aside during an emergency.
While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of the U.S. Department of Health and Human Services (HHS) may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.
The Secretary of HHS, Alex M. Azar, declared a public health emergency on January 31, 2020. In doing so, he exercised his authority to waive sanctions and penalties against covered entities (and their business associates) that do not comply with various provisions of the HIPAA Privacy Rule1:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b)
- The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a)
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520
- The patient’s right to request privacy restrictions. See 45 CFR 164.522(a)
- The patient’s right to request confidential communications. See 45 CFR 164.522(b)
This waiver became effective March 15, 2020.
The waiver of sanctions only applies in various settings such as in the “emergency area” as defined in the public health emergency declaration made by the Secretary of HHS. The waiver also applies to hospitals that have instituted a disaster protocol, and up to 72 hours from the time the hospital implemented its disaster protocol. The waiver of sanctions expires when the Secretary of HHS or the President terminates the public health emergency declaration.
So what does this mean for health care workers, such as physicians, nurses, nurse practitioners and physician’s assistants?
The HIPAA Privacy Rule — even without waiver of sanctions by the Secretary of HHS during a declared emergency — has, baked in its regulation, allowable disclosures during emergency situations. For example, a health care provider may share protected health information with a patient’s family members, friends, other persons identified as involved in the patient’s care. (See 45 CFR 164.510(b).) Health care providers may share such patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Relevant to the current pandemic, a health care provider may disclose a patient’s health information, such as a positive result for COVID-19, to anyone who is in a position to prevent or lessen the serious and imminent threat, possibly further exposure to others.
The HIPAA Privacy Rule expressly defers to the health professionals’ judgment in making determinations about the nature and severity of the threat to health and safety. (See 45 CFR 164.512(j).) While the HIPAA Privacy Rule defers to a providers’ judgment, a disclosure must be made with reasonable efforts to limit the information disclosed to that which is considered “minimum necessary” information to accomplish the purpose. An important caveat is that the minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.
Another important HIPAA implication involves telehealth. The Health Resources and Services Administration defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration
During the COVID-19 public health emergency, covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth. The question, then, becomes: What is considered “good faith” in terms of telehealth? While there is no definition for “good faith” the Office of Civil Rights (OCR) has defined instances of bad faith2:
- Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
- Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
- Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board); or
- Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
Many health care providers are offering telehealth services during the COVID-19 outbreak to limit patient exposure and promote social distancing. A high number of these health care providers are offering telehealth services for the first time, or at a higher rate than normal. This situation calls for potential gaps and mistakes. Health care providers should be aware that the OCR has indicated it will exercise its enforcement discretion, and it will not pursue otherwise applicable penalties for breaches that result from good faith provision of telehealth services during COVID-19 public health emergency.
The health care industry faces considerable uncertainty currently. But the Secretary of HHS and the OCR are taking small steps in the HIPAA Privacy Rule to make it easier to provide medical treatment to patients in need during this crisis.
Wedad Ibrahim Suleiman
Attorney at Chapman Law Group: Health Care Defense Law Firm
LL.M. Health Law Candidate, Loyola Chicago
J.D. MSU College of Law