Jessica Quinn (jessica.quinn@ohiohealth.com) is Senior Vice President, Chief Ethics and Compliance Officer, and Vladimir I. Edmondson (vlad.edmondson@ohiohealth.com) is Senior Compliance Director and Chief Privacy Officer at OhioHealth in Columbus, OH.
Almost 25 years ago, Congress passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishing a national framework for patient privacy.[1] To ensure an appropriate balance between individual privacy rights and public health needs, Congress included the following statutory language: “Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.”[2] Consistent with this congressional intent, when drafting the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule),[3] the secretary of the U.S. Department of Health & Human Services (HHS) incorporated a savings clause to exempt state public health laws from preemption and a number of important exceptions for public health activities.[4]
As the COVID-19 pandemic has unfolded, healthcare providers have proven to be critical players in the fight against the pandemic through preventing, treating, and recovering from COVID-19 in, at times, nontraditional ways not necessarily contemplated by privacy laws. To ensure that those engaged in the COVID-19 fight are not unnecessarily restricted under the Privacy Rule, the HHS Office for Civil Rights (OCR) began to issue a rapid-fire series of regulatory relief documents providing covered entities the relief they needed to fight a pandemic of this magnitude. To date, OCR has issued three notifications of enforcement discretion, four separate guidance documents, and two bulletins focused on the COVID-19 response. OCR’s early efforts to address the not-yet-declared pandemic began in early February when it issued, without fanfare, the “BULLETIN: HIPAA Privacy and Novel Coronavirus.”[5] While not yet extending regulatory relief, the February bulletin highlighted ways in which covered entities and their business associates could continue to permissibly share patient information and put them on notice that they must continue to implement and apply reasonable, as well as administrative, physical, and technical, safeguards to protect patient information. This regulatory relief is not without limitations, however, and a careful understanding of the guardrails for these temporary regulatory changes is critical to help navigate through these changes without inadvertently crossing the line into noncompliance.
Telehealth regulatory relief guardrails
The first series of regulatory relief applies to telehealth, arguably one of the most important tools for the healthcare industry during this public health emergency.[6] Pre-public health emergency application of HIPAA would have required, among other things, covered healthcare providers to satisfy requirements set out in the HIPAA Privacy, Security, and Breach Notification rules, including:
-
Providing the covered entity’s Notice of Privacy Practices no later than the date of the first service delivery and, if the first service delivery to an individual is delivered electronically, the covered healthcare provider must provide electronic notice automatically and contemporaneously in response to the individual’s first request for such service;[7]
-
Obtaining satisfactory assurances from the engaged telehealth technology vendor (i.e., the business associate) that the vendor will appropriately safeguard protected health information (PHI) prior to any disclosure of PHI made by the covered healthcare provider to the business associate, in the form of a written contract or other written agreement or arrangement with the business associate (e.g., business associate agreement);[8] and
-
Performing third-party security reviews of potential telehealth technology vendors to reasonably determine their ability to comply with the HIPAA Privacy and Security rules.[9]
In this series, OCR relieved covered entities from HIPAA-related penalties for the good-faith provisioning of telehealth, thereby significantly expanding the available vendors and vendor tools a covered healthcare provider may use to deliver telehealth. A thorough understanding of what OCR considers “good faith” in this context is critical, however, to avoid noncompliance.
March 17 telehealth notification
On March 17, when 7,038 COVID-19 cases in the United States were reported by the U.S. Centers for Disease Control and Prevention,[10] OCR issued its first Notification of Enforcement Discretion.[11] In its March 17 telehealth notification, OCR feverishly removed one of the telehealth hurdles that had been arguably blocking many covered healthcare providers from fully switching to telecommunication technologies that support and promote the delivery of healthcare in the living rooms, bedrooms, and kitchen tables across our country. In one regulatory swoop, OCR paved the way for covered healthcare providers to make technologically delivered house calls in response to the pandemic through nonpublic-facing remote audio/video communication platforms and products (e.g., Apple FaceTime, Facebook Messenger, Google Hangouts, WhatsApp, Zoom, Skype, Signal, Jabber) that are not necessarily compliant with HIPAA.[12]
Roger Severino, OCR director, announced at that time that this initial exercise of enforcement discretion was being made in an effort to empower “medical providers to serve patients wherever they are during this national public health emergency.”[13] To carry this through, OCR declared that it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of telehealth during the COVID–19 nationwide public health emergency.”[14]
But what exactly does the good-faith provisioning of telehealth look like to OCR? In its March 17 telehealth notification, OCR hinted at what covered healthcare providers—those healthcare providers who conduct one or more covered healthcare transactions electronically, such as transmitting healthcare claims to a health plan[15] —could do that one might reasonably believe demonstrates the good-faith provisioning of telehealth, such as (a) notifying their patients that third-party telehealth applications potentially introduce privacy risks, (b) enabling all available encryption and privacy modes when using such applications, (c) engaging telehealth services through technology vendors who represent that they are compliant with HIPAA, and (d) entering into HIPAA business associate agreements with such vendors.
March 20 FAQs
On March 20, three days and just over 11,000 additional COVID-19 cases later,[16] OCR provided important insight into what would be considered good-faith provisioning of telehealth when posting its “FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency” (March 20 FAQs).[17] OCR noted that when determining what constitutes the good-faith provision of telehealth services, it would reserve the right to consider all facts and circumstances, including “[f]or example, if a provider follows the terms of the Notification and any applicable OCR guidance” (emphasis added). In the March 20 FAQs, OCR also provided the other guardrail by setting out in the alternative what OCR would consider bad faith, including:
-
“Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
-
“Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
-
“Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board); or
-
“Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a public chat room, which OCR has identified in the [March 17 telehealth notification] as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.”
March 28 bulletin
Eight days and more than 100,000 new COVID-19 cases later,[18] OCR provided an additional guardrail for our vulnerable populations in its “BULLETIN: Civil Rights, HIPAA, and the Coronavirus Disease 2019 (COVID-19)” (March 28 bulletin).[19] It must be noted first though that on both March 17[20] and March 20,[21] Director Severino cautioned that OCR is “especially concerned about reaching those most at risk, including older persons and persons with disabilities.” Further, on March 28, Director Severino committed that “[p]ersons with disabilities, with limited English skills, and older persons should not be put at the end of the line for health care during emergencies.”[22] To that end, the March 28 bulletin[23] warned that “as resources allow, government officials, health care providers, and covered entities should not overlook their obligations under federal civil rights laws to help ensure all segments of the community are served by:
-
“Providing effective communication with individuals who are deaf, hard of hearing, blind, have low vision, or have speech disabilities through the use of qualified interpreters, picture boards, and other means;
-
“Providing meaningful access to programs and information to individuals with limited English proficiency through the use of qualified interpreters and through other means.”
Public health guardrails
The HIPAA Privacy Rule allows covered entities to disclose PHI without patient authorization for certain public health and health oversight activities. However, business associates may only make such disclosures if permitted or required by its business associate contract or other arrangement. During the pandemic, this discrepancy may have unnecessarily created challenges for the timely exchange of information for public health and health oversight activities.
April 2 public health notification
On April 2, five days and another 116,000 new COVID-19 cases later,[24] OCR issued its second Notification of Enforcement Discretion (April 2 public health notification).[25] In this notification, OCR announced that it would not impose penalties for violations of certain provisions of the HIPAA Privacy Rule for public health and health oversight activities during the COVID-19 pandemic. Specifically, under the pre-pandemic application of the Privacy Rule, business associates were limited to using or disclosing PHI only as permitted or required by its business associate contract or other arrangement, or as required by law.[26] Additionally, a covered entity would be considered noncompliant with the Privacy Rule if it knew of a pattern of activity or practice that violated the business associate’s obligation(s) under the business associate agreement and the covered entity took no action to cure, end, or terminate the arrangement, if feasible.[27] In the April 2 public health notification, OCR expands the permitted uses and disclosures by business associates to include public health-related activities if, and only if, the business associate:[28]
-
makes a good-faith use or disclosure of a covered entity’s PHI for public health or health oversight activities; and
-
informs the covered entity within 10 calendar days of such use and/or disclosure (conceivably so that the covered entity may fulfill any obligations required under 45 C.F.R. § 164.528 regarding accounting of disclosure of protected health information).
This of course means that if a covered entity’s business associate makes a good-faith use and/or disclosure of a covered entity’s PHI for public health or health oversight activities but fails to notify the covered entity within the requisite 10 calendar days, the imposition of potential penalties against the business associate or the covered entity may in fact be enforced by OCR.
In addition, covered entities should be mindful that a business associate simply informing the covered entity of a use or disclosure would be insufficient for the covered entity to fulfill its obligations to its patients insomuch as the implementation specifications for the accounting of disclosures under the HIPAA Privacy Rule related to public health or health oversight activities require covered entities to provide upon request:[29]
-
“The date of the disclosure;
-
“The name of the entity or person who received the protected health information and, if known, the address of such entity or person;
-
“A brief description of the protected health information disclosed; and
-
“A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request” for the disclosure.
In the event that multiple disclosures are made to the same person or entity for a single purpose in the covered period, the accounting of such multiple disclosures may (in addition to the above-required information for the first disclosure) simply include the frequency, periodicity, or number of the disclosures and the date of the last such disclosure during the accounting period.[30]
In contrast to its March 17 telehealth notification, OCR this time spells out that examples of good-faith uses and/or disclosures include a business associate’s uses and/or disclosures for or to:[31]
-
“[T]he Centers for Disease Control and Prevention (CDC), or a similar public health authority at the state level, for the purpose of preventing or controlling the spread of COVID–19, consistent with [ 45 C.F.R. § 164.512(b) ].
-
“The Centers for Medicare and Medicaid Services (CMS), or a similar health oversight agency at the state level, for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID–19 response, consistent with [ 45 C.F.R. § 164.512(d) ].”
CBTS guardrails
As providers sought to treat patients as well as grasp the extent to which COVID-19 was spreading, the crucial need for safer testing environments became evident—environments that would minimize potential exposure of both patients and healthcare workers. The invaluable community-based testing sites (CBTS) that emerged during the public health emergency may have been stifled by HIPAA requirements if it hadn’t been for another OCR notification.
April 9 CBTS notification
On April 9, OCR’s final Notification of Enforcement Discretion (April 9 CBTS notification) in the triad came seven days and nearly 220,000 new COVID-19 cases later.[32] In addressing COVID-19 CBTS, OCR focused on loosening requirements so that covered healthcare providers and their business associates could deliver healthcare in nontraditional locations in communities across the country, instead of having potentially contagious patients unnecessarily exposing others by corralling through the corridors of hospitals and uncomfortably crowding into undersized waiting rooms. Director Severino committed OCR to “taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely.”[33] To that end, OCR announced that it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers or their business associates in connection with the good faith participation in the operation of a [CBTS] during the COVID–19 nationwide public health emergency.”[34] That step, along with implementing a retroactive effective date of March 13, 2020, allowed many providers to set up testing tents in their facility parking lots or strategically placed and easily accessible drive-through franchises throughout their cities, free from federal privacy enforcement distractions.
Similar to the two prior Notifications of Enforcement Discretion, the April 9 CBTS notification left wary compliance and privacy officers asking: What exactly does the good-faith participation in the operation of a CBTS mean to OCR? Although OCR did not directly answer this question in the April 9 CBTS notification, OCR’s recommendations as to what covered healthcare providers and business associates could (though are not required to) do, might reasonably be relied on to demonstrate the good-faith participation in the operation of a COVID-19 CBTS, such as:[35]
-
“Using and disclosing only the minimum PHI necessary except when disclosing PHI for treatment.
-
“Setting up canopies or similar opaque barriers at a CBTS to provide some privacy to individuals during the collection of samples.
-
“Controlling foot and car traffic to create adequate distancing at the point of service to minimize the ability of persons to see or overhear screening interactions at a CBTS. (A six-foot distance would serve this purpose as well as supporting recommended social distancing measures to minimize the risk of spreading COVID-19.)
-
“Establishing a ‘buffer zone’ to prevent members of the media or public from observing or filming individuals who approach a CBTS, and posting signs prohibiting filming.
-
“Using secure technology at a CBTS to record and transmit electronic PHI.
-
“Posting a Notice of Privacy Practices (NPP), or information about how to find the NPP online, if applicable, in a place that is readily viewable by individuals who approach a CBTS.”
In addition, it is also reasonable for a covered healthcare provider to consider OCR’s prior guidance discussed above regarding good faith (e.g., following the terms of any applicable OCR guidance) and bad faith (e.g., furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy) in its participation in the operations of a CBTS.[36]
Carrying through the similarities of the first and last Notifications of Enforcement Discretion, both of which relate to opening the gates of access, covered healthcare providers and their business associates cannot forget OCR’s charge to enforce civil rights laws that ensure all individuals have equal access to quality healthcare, including such laws that prohibit discrimination on the basis of disability. To that end, covered healthcare providers and their business associates should heed Director Severino’s warning that “HHS is committed to leaving no one behind during an emergency, and helping health care providers meet that goal,”[37] as well as his specific callout during the April 16 COVID-19 teleconference that providers need to be mindful when setting up their community-based testing sites—that these sites account for ease of access not just for individuals in cars, but individuals using public transportation and those with mobility issues and/or disabilities and who may need to access such sites on foot.[38]
Compliance tips
Recognizing that in order to fully fight against the COVID-19 pandemic through nontraditional ways of treating, tracing, and testing, OCR temporarily relaxed certain regulatory requirements in its March 17, April 2, and April 9 notifications. In doing so, OCR also established sensible guardrails for telehealth, public health/health oversight, and community-based testing site activities. In light of these novel guardrails, covered entities (mainly covered healthcare providers) would be wise to:
-
Carefully consider the solutions chosen to deliver telehealth services and provide reasonable accommodations for the needs of those most at risk;
-
Carefully consider the locations chosen to deliver CBTS services and be mindful to provide reasonable accommodations for ease of access not just for individuals in cars, but individuals on public transportation and those with mobility issues and/or disabilities;
-
Ensure that business associate(s) who have used and/or disclosed a covered entity’s PHI in response to public health/health oversight activities have also notified the covered healthcare provider of such use and/or disclosure so that the covered healthcare provider may fulfill any potential accounting of disclosure obligations or put the business associate on notice that such required notification did not occur and will need to be corrected;
-
Heed OCR’s requirements and examples related to good-faith efforts in order to fully realize any issued temporary regulatory relief;
-
Actively monitor any future OCR Notification of Discretion, additional guidance, or notification to the public indicating when OCR will no longer continue to exercise its temporary regulatory relief/enforcement discretion; and
-
Track any unique practices implemented by the covered entity in response to OCR’s temporary regulatory relief and be prepared to modify such practices upon OCR’s termination of enforcement discretion.
Takeaways
-
While the Office for Civil Rights (OCR) has swiftly removed very specific privacy-related restraints, the HIPAA Privacy, Security, and Breach Notification rules are still in force.
-
OCR’s requirements related to good-faith efforts must be fulfilled in order to fully realize any issued temporary regulatory relief.
-
Covered entities are expected to heed any applicable future OCR Notification of Discretion or additional guidance related to HIPAA and COVID-19.
-
Though no expiration dates have been established, OCR will provide public notification identifying when its exercise of temporary regulatory relief/enforcement discretion will end.
-
Covered entities should track, and be prepared to modify, unique practices implemented based on OCR’s temporary regulatory relief upon termination of enforcement discretion.