Each week brings additional information and guidance from the Department of Health and Human Services (HHS) related to the applicability and enforcement of the federal laws and regulations related to patient confidentiality during the COVID-19 public health emergency.

The Office for Civil Rights (OCR) has issued temporary waivers of some requirements under the Health Insurance Portability and Accountability Act (“HIPAA”) Rules, as well as COVID-19 specific guidance on disclosure of patient information to first responders.  The Substance Abuse and Mental Health Services Administration (SAMHSA) has issued clarifying guidance on the federal regulations governing the Confidentiality of Substance Use Disorder Patient Records (42 CFR Part 2 (“Part 2”)) and the disclosures permitted in a bona fide medical emergency.

Below we have summarized the various items released by OCR and SAMHSA as of April 7, 2020.  Health centers should review this information, and the underlying documents, carefully to ensure compliance during and after the COVID-19 public health emergency.

HIPAA

Related to HIPAA, OCR has issued a limited waiver for hospitals, notices of enforcement discretion for covered entities and business associates, and guidance on the disclosure of protected health information (PHI) to first responders.

• Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency (“Limited Waiver”): On March 15, HHS’s Limited Waiver became effective.  The Limited Waiver applies to any hospital that has instituted its disaster protocol.  The Limited Waiver lasts for up to 72 hours from the time the disaster protocol is implemented.  Under the Limited Waiver, HHS waives sanctions and penalties against a covered hospital for non-compliance with the following provisions of the HIPAA Privacy Rule:
  • Requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • Requirement to honor a request to opt out of the facility directory
  • Requirement to distribute a notice of privacy practices
  • Patient’s right to request privacy restrictions
  • Patient’s right to request confidential communications

Health Center Compliance Note: The Limited Waiver applies only to hospitals; it does not apply to health centers.

• Notice of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Notice of Enforcement Discretion for Telehealth) and FAQ on Telehealth: On March 17, OCR announced that it will temporarily waive potential HIPAA penalties for covered entities (including health centers) that serve patients through non-public communication technologies during the COVID-19 public health emergency.  Where a covered entity would usually be required to execute a business associate agreement (BAA) with a vendor providing video communication products, under the Notice of Enforcement Discretion for Telehealth, covered entities may use non-public communication technologies, such as FaceTime, Skype, and Zoom, without an executed BAA.  Covered entities are prohibited from using public communication technologies, such as FaceBook Live, Twitch, and TikTok.  The Notice of Enforcement Discretion for Telehealth includes a list of vendors that have represented to OCR that they provide HIPAA-compliant video communication products and will sign a BAA.

Health Center Compliance Note:  Health centers that have launched or expanded telehealth and anticipate continuing with telehealth after the COVID-19 public health emergency ends should ensure they have executed a BAA with a HIPAA-compliant telehealth vendor(s).  Once the COVID-19 public health emergency ends, OCR will re-start enforcement of the BAA and other compliance requirements.  Having a HIPAA-compliant telehealth vendor in place will ensure the health center’s compliance with the HIPAA Rules and provide patients and staff members with seamless telehealth services post-COVID-19.

• COVID-19 and HIPAA Disclosures to Law Enforcement, Paramedics and Other First Responders, and Public Health Authorities (COVID-19 Disclosure Guidance): The HIPAA Privacy Rule permits covered entities to disclose PHI without a patient’s consent or authorization for certain purposes, including treatment, for public health activities, to those involved in a patient’s care or to notify such individuals, and to anyone in a position to prevent or lessen a serious and imminent threat.  The COVID-19 Disclosure Guidance clarifies that, when authorized by law, a covered entity may disclose PHI to a first responder who may be at risk of infection because they have been exposed to COVID-19 or may otherwise be at risk of contracting or spreading COVID-19.  Covered entities may disclose PHI to first responders when the disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.  The COVID-19 Disclosure Guidance includes two examples on disclosures to EMS dispatch and first responders.

Health Center Compliance Note:  Health centers must identify and understand their public health reporting obligations under state and local laws and regulations, as well as the disclosures permitted under the HIPAA Rules, when determining whether they can disclose PHI without a patient’s consent or authorization.

• Notice of Enforcement Discretion for Business Associates: On April 2, OCR announced that it will temporarily waive potential HIPAA penalties for covered entities and business associates when a business associate uses or discloses PHI for public health and health oversight activities during the COVID-19 nationwide public health emergency.  Where a business associate would usually only be permitted to use and disclosure PHI as permitted under a business associate agreement (or other written agreement/arrangement), or as required by law, under the Notice of Enforcement Discretion for Business Associates, OCR will waive potential HIPAA penalties if the business associate makes a good faith use or disclosure of PHI for public health activities (45 CFR 164.512(b)) or for health oversight activities (42 CFR 164.512(d)).  Within ten calendar days the business associate must inform the covered entity of the use or disclosure.

Health Center Compliance Note:  Health centers should ensure that information about a business associate’s disclosures for public health activities or health oversight activities are documented in the patient’s record.  Records of disclosures permitted by 45 CFR 164.512(b) and (d) must be maintained and made available should a patient request an accounting of disclosures under 45 CFR 164.528.

OCR has established a HIPAA, Civil Rights and COVID-19 webpage.  Health centers should check OCR’s webpage regularly for updated and new items and monitor the information sent through the OCR Privacy and Security Listserv.

SAMHSA

SAMHSA has issued guidance on the use and disclosure of Part 2-protected information during COVID-19.  The Part 2 regulations apply only to certain substance use disorder records.  For health centers, Part 2 applies: (1) if the health center provides substance use disorder services in a way that meets the definition of a “program” under the regulation, or (2) if the health center receives records from a Part 2 program, making the health center a “lawful hold” of records protected by Part 2.[1]  SAMHSA’s guidance only applies to records protected by Part 2.

• COVID-19 Public Health Emergency Response and 42 CFR Part 2 Guidance: On March 19, SAMHSA issued a guidance document on the use and disclosure of Part 2-protected information during the COVID-19 pandemic.  The guidance emphasizes that, under the medical emergency exception at 42 CFR 2.51, a Part 2 program or lawful holder may disclose Part 2-protected information without a patient’s consent if the provider determines a bona fide medical emergency exists for purpose of providing needed treatment to patients.

Health Center Compliance Note: Under the medical emergency exception, Part 2-protected information may only be disclosed to medical personnel; each disclosure must be immediately documented as described under 42 CFR 2.51(c); and the amount of information disclosed must be limited to the information necessary to carry out the purpose of the disclosure per 42 CFR 2.13(a).

SAMHSA has established a Coronavirus (COVID-19) webpage where the Part 2 guidance and other resources are posted.

Questions? If you have questions about this Client Alert or other matters, please contact Dianne Pledgie, or call FTLF at (202) 466-8960.

[1] Health centers looking for support on determining whether Part 2 applies and/or how to comply with Part 2 may find the following FTLF offerings helpful: 42 CFR Part 2 Webinar Series or Confidentiality for Health Centers Toolkit.  FTLF attorneys are also available to provide legal advice and support by contacting learning@feldesman.com.