KENTUCKY REGIONAL EXTENSION CENTER

COVID-19 and The HIPAA Privacy Rule: Bulletins from HHS

In light of the COVID-19 national emergency, the Health and Human Services (HHS) Office for Civil Rights (OCR) has released information specific to the HIPAA Privacy Rule. The Kentucky REC wants to make sure you are aware of the information coming from HHS in order for you to be able to continue providing healthcare services to patients. Below is a collection of all bulletins released from HHS regarding modifications and waivers related to the HIPAA Privacy Rule.

The Kentucky REC will continue to share updates and releases with hyperlinks from HHS as the information becomes available. Each of the titles below is hyperlinked to the information described.

March 24, 2020: COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities

Today, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on how covered entities may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including:
• When needed to provide treatment;
• When required by law;
• When first responders may be at risk for an infection; and
• When disclosure is necessary to prevent or lessen a serious and imminent threat.

This guidance clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

“Our nation needs our first responders like never before and we must do all we can to assure their safety while they assure the safety of others,” said Roger Severino, OCR Director. “This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe,” added Severino.

March 20, 2020: FAQs on Telehealth and HIPAA During the COVID-19 Nationwide Public Health Emergency

The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on telehealth remote communications following its Notification of Enforcement Discretion during the COVID-19 nationwide public health emergency.

The Notification, issued earlier this week, announced, effective immediately, that OCR is exercising its enforcement discretion to not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.

The new guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR is applying the Notification to support the good faith provision of telehealth.

March 17, 2020: Notice of Enforcement Discretion for Telehealth

The HHS Office for Civil Rights (OCR) announced on March 17, 2020, that it will waive potential HIPAA penalties for good faith use of telehealth during the nationwide public health emergency due to COVID-19.
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

The notification explains how covered health care providers can use everyday communications technologies to offer telehealth to patients responsibly.

March 16, 2020: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency

In response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar’s earlier declaration of a public health emergency on January 31, 2020, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
• the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• the patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020. When the Secretary issues such a waiver, it only applies:
(1) in the emergency area identified in the public health emergency declaration;
(2) to hospitals that have instituted a disaster protocol; and
(3) for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.

March 13, 2020: Waiver or Modification of Requirements Under Section 1135 of the Social Security Act

The Waiver was implemented “to ensure that sufficient health care items and services are available to meet the needs of individuals enrolled in the Medicare, Medicaid and CHIP programs and to ensure that health care providers that furnish such items and services in good faith, but are unable to comply with one or more of these requirements as a result of the consequences of the 2019 Novel Coronavirus (previously referred to as 2019-nCoV, now as COVID-19) pandemic, may be reimbursed for such items and services and exempted from sanctions for such noncompliance, absent any determination of fraud or abuse.”

February 2020: BULLETIN: HIPAA Privacy and Novel Coronavirus

This bulletin was released “to ensure that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”

HHS – Emergency Situations: Preparedness, Planning, and Response

Summary of HIPAA Privacy Rule

Contact us at Kentucky REC with your questions. We’re here to help and are available at 859-323-3090.