New HIPAA Waivers for Health Care Providers During the COVID-19 Emergency

Alissa Smith
Dorsey & Whitney LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Dorsey & Whitney LLP

This post provides an update on a number of HIPAA waivers that have just been made available to health care providers: (1) Waivers for hospitals in the initial 72 hours of enacting a disaster protocol; and (2) Waivers for all health care providers to allow them to use “everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency” for the provision of patient care services.  Each waiver is addressed more fully, below:

Waivers for Hospitals in the Initial 72 Hours of Enacting a Disaster Protocol

First, the Secretary of the Department of Health and Human Services (HHS) has issued limited HIPAA waivers to hospitals.  The waivers are retroactive to March 15, 2020.  See the HHS HIPAA waiver document here.  We addressed the possibility of these waivers in our earlier post, available here, along with a summary of some of the main HIPAA laws already in place which may be helpful to covered entities and business associates during this time of national and public health emergency.

The HIPAA waiver document starts by reminding covered entities and their business associates that, in general, the HIPAA rules are not suspended during this time of a national and public health emergency.  In particular, addressing a topic of much discussion among providers, the guidance includes a reminder that the HIPAA security safeguards rules (mandating reasonable administrative, technical and physical safeguards) apply to uses and disclosures of electronic protected health information as always.  This statement is a reminder to health care providers of their obligations to use appropriate safeguards when using or disclosing protected health information (but, see Part 2 of this blog post, below, which describes a new waiver allowing providers to use everyday communications technologies for patient care.)

The HIPAA waiver will only apply to hospitals:

(1) in the emergency area identified in the public health emergency declaration (the declaration applies nationwide, see the declaration here);

(2) that have instituted a disaster protocol; and

(3) for up to 72 hours from the time the hospital implements its disaster protocol.

After the 72 hours elapses, the hospital is required to return to full HIPAA compliance, even for patients who are still under care at the time.  Also, if the national emergency or the public health emergency is terminated, the hospital is required to return to full HIPAA compliance, even if the 72 hours has not elapsed.

The waivers permit U.S. hospitals that have instituted their disaster protocol to have the following HIPAA requirements waived during the initial 72 hours of the disaster protocol:

• the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient’s right to request confidential communications. See 45 CFR 164.522(b).

Waivers for All Health Care Providers to Allow the use of Everyday Communications Technologies for Patient Care

Second, the HHS Office for Civil Rights (OCR) announced that it will “exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency”.  See the announcement from OCR here.

This second announcement is particularly refreshing for health care providers who have been anxiously seeking easier methods, such as the use of personal devices and specific technologies, to interact via audio and/or video technologies with their patients and colleagues.

Specifically, OCR states: “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients….This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”

OCR provides the following examples of technology that will be allowed:

“…a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.”

“…popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype…”

The OCR makes clear that this technology is also allowed to assess or treat any other medical condition, even if not related to COVID-19.   Further, the OCR also states in the notice that it will not impose penalties against health care providers that do not have a business associate agreement in place with such technology vendors.

The OCR provides the following examples of technology that will not be allowed because they are public facing:

  • Facebook Live
  • Twitch
  • TikTok
  • similar video communication applications are public facing

Finally, the OCR acknowledges that some health care providers may still wish to use technology vendors that are “HIPAA compliant” and with whom the health care provider has entered into a business associate agreement related to the vendor’s video communications products. The OCR provides a list of some technology vendors that represent that they provide HIPAA-compliant video communication products and will enter into a business associate agreement (although the OCR states that it does not endorse any particular technology and it has not reviewed the business associate agreements of these vendors):

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet

However, a few words of caution:

  • The OCR encourages providers to notify their patients that these third-party applications potentially introduce privacy risks.
  • Providers should also take as many security precautions as possible to protect patient information such as enabling “all available encryption and privacy modes when using such applications,” and having these conversations in private spaces to avoid others who are not involved in the patient’s care overhearing the communication.
  • Further, even if a provider is using “everyday communications technologies”, providers should take care to record the interactions in the patient’s medical record to ensure that patients’ records are complete and accurate.

We are continuing to monitor this ever evolving area of the law and will continue to post updates.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP
Dorsey & Whitney LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Dorsey & Whitney LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide