“We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.” – Roger Severino, Director, HHS Office of Civil Rights.

Over the course of the last few days, the Department of Health and Human Services (HHS) has issued guidance waiving compliance with certain HIPAA privacy and security regulations, making it easier for our essential health care providers to obtain protected health information and deliver necessary care and services to those in need during the COVID-19 pandemic. OCR will exercise its discretion and will not impose penalties for noncompliance with regulatory requirements as long as health care providers are acting in good faith.

During this unprecedented national public health emergency, the OCR is flexing enforcement on certain key regulations issued to protect the privacy and security of protected health information.  Now and until the national emergency is over, covered entities otherwise subject to the strict HIPAA Privacy, Security and Breach Notification Rules may:

  • communicate with patient’s family members or friends without authorization or consent, appreciating the public interest outweighs the patient’s right to confidentiality.
  • disclose, without patient authorization, protected health information to a public health authority such as the CDC or a state or local health department; a foreign government agency; and to those at risk of contracting or spreading a disease or condition. Providers must make reasonable efforts to limit the information to the “minimum necessary” to achieve the reporting purpose.
  • provide telehealth services through any non-public facing remote audio or video communications technologies or products available to communicate with patients not otherwise compliant with the requirements of HIPAA.  This exception applies to telehealth provided for ANY reason, not just for diagnosis and treatment of health conditions related to COVID-19. Under this Notice, “providers may use popular applications that allow for video chats, including Face Time, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules.” Before using the non-HIPAA compliant applications, providers should attempt to enable all available encryption and privacy modes and should notify the patient that the chosen application potentially introduces privacy risks.  In addition, the provider does not need to obtain a Business Associate Agreement with the application vendor.  OCR did warn that certain applications such as Facebook Live, Twitch and TikTok were too public-facing and should not be used under any circumstances.

In addition, the HHS will waive sanctions and penalties against a covered hospital that does not comply with requirements:

  • to honor a patient’s request to opt out of the facility directory,
  • to distribute a notice of privacy practices,
  • to honor a patient’s request for privacy restrictions; and
  • to honor a patient’s right to request confidential communications.

See more on the HHS’s limited waiver of HIPAA sanctions and penalties during this nationwide public health emergency.