HIPAA Exceptions During a National Emergency: Updates and Reminders

Operating during COVID-19 means that business is far from usual, especially in healthcare. For hospital compliance and privacy officers, exceptions to some HIPAA regulations, particularly about telemedicine, may affect their work throughout this national emergency. The Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) has announced several such changes, and is likely to continue to do so as the pandemic continues in coming weeks. 

For those hospitals and healthcare systems that have telemedicine programs and policies in place, these changes will likely not be overly challenging; for those healthcare teams turning to telemedicine to prevent the spread of COVID-19, these changes will allow them to use video systems that may ordinarily not meet stringent HIPAA Security Rule requirements. The purpose of these changes is not to water-down HIPAA requirements, but rather to foster patient care in a safe and secure environment, and to easily and quickly share health information when necessary.

Remember that even in the midst of this crisis, the HIPAA regulations are still to be enforced. The Privacy and Security Rules, along with the Breach Notification Rule and the HITECH Act, are still operable and enforceable, as are other laws designed to protect patient privacy. However, certain exceptions under these regulations allow for the disclosure of Personal Health Information (PHI) during a crisis, such as to first responders or public health officials. These disclosures are not problematic and, in the case of public health, are a mandatory part of disease control, surveillance, and prevention. 

While patients still retain the basic right to control the disclosure of their own medical information, during a declared health crisis, disclosure restrictions may be lessened. Hospitals have always been able to share treatment information with family members and other caregivers under certain circumstances, and that is especially true now during the COVID-19 pandemic. If a patient is unable to speak or communicate for him or herself, or unable to make medical decisions about his or her care and treatment, health professionals must communicate with family members in that regard. However, other protections under HIPAA remain. 

In terms of telemedicine, each organization will have to decide whether or not it can offer such services according to its own technology and policies. OCR’s exceptions are simply notifying healthcare organizations that they may, during the crisis, use whatever tools are necessary to deliver care by using telemedicine. While organizations and providers should always be mindful of security issues, OCR will not enforce the usual limitations or requirements. Under normal circumstances, tools like FaceTime would not, for example, be an acceptable telemedicine platform. 

Under the recently passed CARES Act (Coronavirus Aid, Relief and Economic Security Act), enacted by Congress on March 27, 2020, certain restrictions under 42 C.F.R., Part 2, commonly known as the substance abuse regulations, have also been updated. Disclosure restrictions have been slightly eased, allowing providers to more easily share health information. Some of the changes will permit the Part 2 regulations to be more in line with HIPAA rules.

Protenus applauds the work, dedication, and tenacity of our customers, and all healthcare workers, for we know how hard this time is for them all. Our own team of former compliance experts and hospital staff are always available to help customers and their individual team members who feel overwhelmed. We are just an email or phone call away.

For additional information, OCR has a new webpage with all of its COVID-19 related guidance at:  https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html.

Email us at contact@protenus.com if you have any questions as to how the Protenus platform can help your organization better monitor patient privacy.