The COVID-19 pandemic is reshaping many areas of law and regulation as businesses grapple with maintaining compliance, while also responding to the fluid needs of their clients and employees. In an effort to ease the regulatory burden on businesses, certain government agencies have made announcements that their offices will exercise discretion or waive certain noncompliance penalties that were done specifically to act responsibly in COVID-19’s wake. In particular, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued two bulletins regarding COVID-19 response.
The first, on March 16th, issued a limited waiver of HIPAA sanctions and penalties for violations of the HIPAA Privacy Rule. Specifically, sanctions and penalties are waived for covered hospitals that do not comply with the HIPAA Privacy Rule’s requirements to: (i) obtain patient consent before speaking with family members or friends involved with case; (ii) honor requests to opt out of facility directory; (iii) distribute Notices of Privacy Practices; (iv) provide for the patient’s right to request privacy restrictions; and (v) provide for the patient’s right to request privacy. At present, the waiver only applies hospitals that have instituted a disaster protocol that are in the emergency area for up to 72 hours from the time the hospital institutes the disaster protocol. A copy of the bulletin may be found here.
The second bulletin was released on March 17th. This bulletin issued a Notification of Enforcement Discretion, waiving penalties during the COVID-19 national emergency for the good faith use of telehealth that may fall short of the HIPAA Privacy Rule Requirements. Here the OCR specifically permitted the use of video-chat applications on a health care provider’s phone or computer, using technology like Apple FaceTime, Skype, Google Hangouts, and similar technology in the course of providing telehealth. This waiver applies to all treatment by telehealth—not just the diagnosis and treatment of COVID-19. The bulletin did specifically caution against using Facebook Live, Twitch, TikTok,and similar public-facing video communication and encouraged providers to notify patients about potential privacy risks associated with third party applications. The OCR further stated that it would not penalize covered health care providers for the lack of a business associate agreement with video communication vendors. The OCR notice included a list of vendors to consider for providing telehealth including Skype for Business/Microsoft Teams, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangout Meet, but did not necessarily endorse the use of the vendors. Rather, the referral was based on the OCR’s believe that those vendors would enter into a business associate agreement. A copy of the bulletin may be found here.
While this waiver in some ways increases patient data breach risk, it does make the availability of telehealth more wide spread. Such a movement will instantly help expand health care provider’s ability to see patients virtually while responding in person to greater challenges.