The coronavirus pandemic has forced employers and health care providers to make difficult decisions about how to protect their customers, employees and patients, while at the same time protecting their personal information. Even during a national health emergency, however, covered entities (e.g., health plans and providers) must continue to comply with the privacy and security rules of the Health Insurance Portability and Accountability Act (“HIPAA”).

In recognition of the unique challenges being faced by covered entities in meeting their HIPAA obligations, the Department of Health and Human Services (“HHS”) has issued various forms of HIPAA-related guidance and enforcement relief, which we have summarized below.

  • Telehealth Applications. HHS has announced it will not impose penalties on healthcare providers who do not meet certain HIPAA standards by providing services in good faith via non-public facing applications, such as FaceTime and Zoom. HHS encourages healthcare providers to enter into business associate agreements (“BAAs”) with such video communication vendors, but states that it will not impose penalties against a healthcare provider if no BAA is in place. This exercise of enforcement discretion only applies during the COVID-19 public health emergency.
  • PHI Disclosures for Public Health and Health Oversight. HHS has announced it will not impose penalties for violations of certain HIPAA privacy rules against healthcare providers or their business associates for uses and disclosures of PHI for public health and health oversight activities. This exercise of enforcement discretion only applies during the COVID-19 public health emergency.
  • PHI Disclosure to First Responders and Others. HHS has clarified and provided examples of circumstances under which a covered entity may disclose the PHI of an individual who has been infected with COVID-19 to keep first responders and the public safe. For example, disclosure of PHI without the individual’s consent is permissible when made to a public health authority to prevent or control the spread of disease.
  • PHI Disclosure to Family, Friends and Others. HHS has issued guidance on how a covered entity can share PHI with an infected individual’s family members, friends or other care givers. For example, prior to sharing PHI with such parties, a healthcare provider should either (i) when possible, get verbal permission or be reasonably able to infer consent, or (ii) if the individual is incapacitated, make a determination that sharing PHI would be in the best interest of the patient.
  • Limited Waiver of HIPAA Sanctions. HHS has temporarily waived sanctions and penalties against covered hospitals that do not comply with certain provisions of the HIPAA privacy rule, including patient rights to request privacy restrictions and confidential communications. The waiver became effective March 15, 2020 and only applies: (i) in the emergency area identified in the HHS public health emergency declaration, (ii) to hospitals that have instituted a disaster protocol, and (iii) for up to 72 hours from the time the hospital implements its disaster protocol.

Despite the above described guidance and enforcement relief, the applicable rules for securing, protecting and disclosing PHI remain the same. As such, covered entities should continue to adhere to their standard HIPAA policies and procedures, but may want to consider providing additional HIPAA training specific to public health emergencies.

If you have any questions about HIPAA’s privacy and security rules, including related COVID-19 relief, please contact a member of our Employee Benefits Group.