HIPAA Security Rule Update Related to COVID-19
Telehealth Remote Communication Technology
On March 17, 2020, the federal Department of Health and Human Services (HHS) announced that the Office for Civil Rights (OCR) will suspend enforcement activities and waive penalties related to certain HIPAA Security Rule provisions “during the COVID-19 nationwide public health emergency.” Specifically, OCR will waive penalties for using “everyday communications technologies” in furtherance of providing health care services.
OCR enforces Privacy, Security, and Breach Notification Rules and regulations (the HIPAA Rules) associated with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. HIPAA Rules require that health care providers (and other covered entities) utilize certain technical, physical, and administrative safeguards in conjunction with the provision of treatment and maintenance of electronic protected health information. These HIPAA Rules include requirements for remote communication technologies utilized by health care providers for treatment purposes.
Effective immediately, however, OCR subregulatory guidance provides that OCR “will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” As a result, providers may utilize any “non-public facing” audio or video communication technology to provide telehealth services. OCR’s announcement relates to telehealth provided “for any reason,” meaning that penalties will not apply regardless of whether telehealth services relate to COVID-19.
Exempted “non-public facing” technology may include FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, though OCR encourages providers to notify patients of potential privacy and security risks associated with these applications. OCR states that providers should “enable all available encryption and privacy modes when using such applications.” Providers that seek additional protections for telehealth services may utilize HIPAA-compliant vendors and business associate agreements.
Public-facing applications, such as Facebook Live, Twitch, and TikTok do not qualify for exemption under this OCR guidance. Use of these public-facing technologies may still be subject to OCR enforcement activity.
Other Telehealth Initiatives Related to COVID-19
The above announcement follows a string of telehealth-related initiatives published by the federal government during the COVID-19 emergency. The Centers for Medicare and Medicaid Services previously announced that Medicare would expand coverage for medical visits furnished via telehealth retroactive to March 6, 2020. For the duration of the COVID-19 emergency, telehealth visits are considered by CMS to constitute “in-person” visits (and are reimbursed accordingly). In the same announcement, CMS indicated that another HHS agency, the Office of Inspector General (OIG) will permit health care providers to eliminate cost-sharing requirements applicable to federal health insurance programs. CMS previously waived the requirement under Medicare and Medicaid that a health care provider be licensed in the state wherein the patient sits at the time of service (and eased otherwise applicable requirements that telehealth services be provided only to patients in rural areas by providers with whom the patient previously established a relationship).
In 2019, Medicare began reimbursing “virtual check-ins” and “e-visits,” which, collectively, permit providers to engage in “short” and “non-face-to-face” “patient-initiated communications” through online portals. Virtual check-ins and e-visits require verbal patient consent to receive such services.
In February, OCR released guidance for health care providers related to permitted uses and disclosures of protected health information related to COVID-19. In the release, OCR outlined the use and disclosure of information (1) for public health activities (including disclosures to those at risk of contracting or spreading a disease); (2) to patients’ family members; and (3) to prevent imminent threat of harm.
We expect additional and ongoing updates from OCR, OIG, and CMS during the COVID-19 emergency. These agencies continue to implement guidance pursuant to waiver authority under Section 1135 of the Social Security Act. Section 1135 waiver authority permits HHS to modify federal requirements related to Medicare, Medicaid, or the Children’s Health Insurance Program upon certain emergency declarations. This waiver authority vested upon the presidential declaration on March 13, 2020, under the Stafford Act and the National Emergencies Act. HHS Secretary Azar had previously declared, in January, a public health emergency related to COVID-19. For the duration of these emergency declarations, HHS will have authority to release further guidance.
Copyright © 2020 by Ballard Spahr LLP.
(No claim to original U.S. government material.)
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.
This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.