Temporary flexibilities to HIPAA noncompliance have been made to ease the fight against COVID-19 for healthcare providers and business associates. The Office for Civil Rights (OCR) has announced four Notices of Enforcement Discretion in response to the COVID-19 pandemic:
- Telehealth Remote Communications
- March 17, 2020: OCR waives penalties for HIPAA violations by healthcare providers that provide virtual patient care through everyday communications technologies. These violations mainly pertain to the HIPAA Security Rule, as these technologies, including FaceTime, Skype, Zoom, and Google Hangouts, are generally less secure.
- Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities
- April 2, 2020: OCR waives penalties for HIPAA violations by business associates of HIPAA-covered entities for uses and disclosures of PHI for public health and health oversight activities. These activities, however, must be stated in a business associate agreement (BAA). Business associates must notify the covered entity within 10 days of using or disclosing.
- Operation of Community-Based Testing Sites for COVID-19
- April 9, 2020 (retroactive to March 13, 2020): OCR waives penalties for HIPAA violations by covered entities and business associates that work at drive-through, walk-up, and mobile COVID-19 testing sites. These sites and their activities only collect specimens from individuals for COVID-19 testing. OCR still encourages reasonable privacy and security safeguards.
- Online or Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments
- January 19, 2021 (retroactive to December 11, 2020): To help with the rollout of COVID-19 vaccines, OCR waives penalties for HIPAA violations by covered entities or their business associates concerning the use of online or web-based scheduling applications (WBSAs) for scheduling COVID-19 vaccination appointments. The WBSA provider must state that it’s acceptable to use its WBSA to make healthcare appointments. This discretion will not apply if the WBSA is used for services other than booking COVID-19 appointments, such as scheduling appointments for other services or conducting COVID-19 screening before scheduling an in-person visit. WBSAs must have privacy and security safeguards, such as encryption.
The OCR has proposed several other discretions, such as:
- Permitting patients to inspect their PHI in person and take notes and/or pictures of their records.
- Reducing response time for covered entities to give patients access to their PHI from 30 days to 15 days.
- Creating a pathway for patients to share their PHI among covered entities directly.
- Allowing scenarios for when ePHI must be provided to the patient free of charge.
- Requiring covered entities to release estimated fee schedules on their websites for PHI access and disclosures with the patient’s consent.
- Requiring covered entities to release estimated fee schedules on their websites for a patient’s request for copies of their PHI.
- Eliminating the requirement of obtaining a patient’s written consent on a provider's Notice of Privacy Practices.
- Requiring that public comments on the Notice of Proposed Rulemaking (NPRM) are due 60 days after publication in the Federal Register.
Additionally, the Coronavirus Aid, Relief, and Economic Security (CARES) Act adjusted 42 CFR Part 2 regulations such that patients with substance abuse disorders (SUD) must also be able to get necessary treatment during the COVID-19 pandemic. This requires healthcare providers to share SUD PHI with other providers for TPO freely. To do so, patients with SUD can give broad consent to sharing their PHI instead of explicitly signing off on which entities can access their PHI. As a result of allowing broad consent, the regulations and requirements regarding a confidentiality breach are stricter.
