Some Restrictions Apply: Limits and Risks of OCR’s COVID-19 Notifications of HIPAA Enforcement Discretion

To help combat the ongoing COVID-19 pandemic, the Department of Health and Human Services (DHHS) and its Office for Civil Rights (OCR) has recently issued four notifications of enforcement discretion—in OCR-speak, promises not to impose penalties for certain specified violations of HIPAA. These enforcement discretion notifications amount to unprecedented waivers of HIPAA requirements while DHHS’s nationwide public health emergency declaration is in effect.

But they are not a get-out-of-jail-free card. Important limitations still apply to each waiver. And just as important, covered entities and business associates face additional risks beyond the threat of OCR enforcement for activities covered by the waivers. 

This post discusses each of these notices of enforcement discretion and the risks about which covered entities and business associates should be aware as they consider altering their practices to respond to the pandemic.

Waiver for Hospital Operations Limited to 72-Hours

On March 16, DHHS issued a bulletin announcing that it was waiving HIPAA sanctions and penalties for HIPAA-covered hospitals’ violations of five specific Privacy Rule requirements:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
• The requirement to honor a request to opt out of the facility directory;
• The requirement to distribute a notice of privacy practices;
• The patient’s right to request privacy restrictions; and
• The patient’s right to request confidential communications.

That waiver, however, came with a critical limitation: it only applies to hospitals that have instituted a disaster protocol, and then only for the shorter of the first 72 hours from the time the hospital institutes its disaster protocol or until the COVID-19 public health emergency declaration expires.

Given those limitations, hospitals should weigh carefully whether to change their privacy practices in connection with their institution of disaster protocols. Hospitals should also note that DHHS has not waived enforcement of the rest of the Privacy Rule, including other individual rights provisions and authorization requirements.

OCR’s Telehealth Communications Notification Facilitates Extension of Telehealth Services

On March 17, OCR issued a notification that it would waive penalties for HIPAA violations in connection with a health care provider’s good faith use of non-public facing audio or video communication products to provide telehealth services during the COVID-19 public health emergency—no matter why the telehealth services are provided. That notification listed services such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, and Skype as permissible telehealth applications.  

The notification, as well as a set of FAQs OCR issued later that same week, suggested some limits and best practices for providing telehealth services using these platforms. Of particular note, OCR offered some guidance on the requirement—that would otherwise apply—for the health care provider to enter into a business associate agreement with the provider of any communication services.

To that end, OCR suggested in its original notification that it would not impose penalties on a health care provider for failing to enter into a business associate agreement with a telehealth communications provider. But it also stated that “health care providers that seek additional privacy protections” should use communication services that comply with HIPAA and whose providers will execute a business associate agreement. OCR also listed several communications services that represent they would sign a business associate agreement, including Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet, Amazon Chime, WebEx, GoToMeeting, and Spruce Health Care Messenger.

Those statements suggest OCR strongly prefers services that include valid business associate agreements as part of their terms. Among other benefits, entering into a business associate agreement with the communications service would also allow health care providers to continue to provide telehealth services through that service even after the COVID-19 public health emergency declaration expires.

The related FAQs suggest additional limitations and best practices:

• Health care providers should assess where their patients are located during telehealth services and assess the privacy impacts of that location. For example, one FAQ provides that patients should not receive telehealth services in public or semi-public settings without their consent or exigent circumstances. That statement suggests that health care providers should assess whether the patient is in a private setting and—if not—determine whether verifying consent is necessary or whether exigent circumstances sufficient to permit discussing PHI in that setting are present. Additionally, another FAQ states that providers should direct their patients to move a reasonable distance from others when discussing PHI if a private delivery setting is unavailable.
• OCR still expects health care providers to take safeguards by providing telehealth in private settings, such as a private clinic office. When a private location is unavailable, the FAQs suggest that OCR expects providers to continue to implement safeguards to limit incidental disclosures of PHI.
• The telehealth enforcement waiver only applies to health care providers and not to other types of covered entities, such as health plans paying for or offering telehealth services.

Business Associates Can Use and Disclose PHI for Public Health and Health Oversight Activities

On April 2, DHHS issued an enforcement discretion notification that would permit business associates to make good faith uses or disclosures of a covered entity’s PHI for public health or health oversight activities—regardless of whether the relevant business associate agreement permits such a use or disclosure. For example, a business associate could make a disclosure to the CDC to control the spread of COVID-19 or to the Centers for Medicare and Medicaid Services to assist or manage the health care system’s response to COVID-19.

Business associates should note this notification solely applies to HIPAA’s requirement that restricts business associate use and disclosures of PHI to uses and disclosures permitted by a business associate agreement or required by law. Business associates should therefore ensure they continue to comply with all other applicable requirements of the Privacy Rule, the Security Rule, and the Breach Notification Rule to avoid HIPAA enforcement. For example, business associates should ensure that transmissions of ePHI to public health authorities are appropriately secured under the Security Rule.

Business associates must also inform the covered entity within 10 calendar days of the use or disclosure for public health or health oversight activities to benefit from this notification. Business associates might also consider advance consultation with the relevant covered entity before disclosing PHI—if possible—because the notification does not address business associate liability in contract to the covered entity. Coordination with the covered entity might forestall later disputes and help address any relevant ambiguity in business associate agreements or related contracts.

HIPAA Requirements Waived to Facilitate Community-based Testing Sites

On April 9, DHHS issued a notice that OCR would not impose penalties for violating the HIPAA Privacy, Security, or Breach Notification rules against covered health care providers and their business associates in connection with the good faith operation of Community-based Testing Sites (CBTS). The notice describes CBTSs as “COVID-19 specimen collection and testing sites,” which “includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.”

This exercise of enforcement discretion, however, comes with several limits and best practice suggestions.

First, the waiver applies only to CBTS functions and not to any other HIPAA-covered operations. For example, the notification states that a covered entity that experiences a breach of a database that contains both CBTS PHI and non-CBTS PHI is expected to notify all CBTS and non-CBTS patients pursuant to the Breach Notification Rule. Another example states that a retail pharmacy operating a CBTS in its parking lot would still be liable for HIPAA violations unrelated to the CBTS that occur within the store. Thus, drawing clear lines between a CBTS and other HIPAA-covered operations will help ensure HIPAA-covered CBTS participants benefit from this exercise of enforcement discretion.

Second, DHHS also encourages the use of specific privacy and security safeguards in connection with operation of a CBTS—though the notification also states that OCR will not impose penalties against good-faith CBTS participants that do not provide these safeguards. The encouraged safeguards are:

• Using and disclosing the minimum necessary amount of PHI;
• Setting up opaque barriers and canopies to provide privacy to individuals being tested;
• Managing foot and vehicle traffic to provide distancing between the point of service and other individuals to minimize opportunities to observe or overhear the testing process;
• Posting signs prohibiting filming and creating a buffer zone to keep media and members of the public from filming the CBTS;
• Using secure technology to transmit ePHI; and
• Posting a notice of privacy practices or direction for where patients can find a notice of privacy practices online in a place that is readily viewable by individuals approaching a CBTS.

Third, the notification applies only to covered health care providers and their business associates. When a covered health care provider also performs health plan functions, the waiver applies only to the covered health care provider function to the extent it participates in a CBTS.

Enforcement Discretion Notifications Do Not Eliminate All Risk

Before adjusting HIPAA compliance programs based on the DHHS and OCR enforcement discretion notifications discussed above, health care providers and business associates should keep these points in mind:

• DHHS and OCR Enforcement Discretion Notifications Do Not Bind State Attorneys General. State attorneys general have overlapping authority with OCR to enforce HIPAA. While exercises of that authority have historically been less common, they are not unprecedented: just last year, state attorneys general obtained a $900,000 settlement of a lawsuit brought against a business associate for various HIPAA violations. Health care providers and business associates should thus remember that DHHS and OCR’s notifications do not eliminate the possibility of HIPAA enforcement against them.
• State Privacy Laws May Still Apply. State laws may also impose relevant restrictions that continue to apply. For example, the Texas Medical Privacy Act’s notice and authorization requirements for the electronic disclosure of PHI may apply even if HIPAA’s notice and authorization requirements are waived. State data breach notification laws may also require notification of PHI breaches even where OCR will not enforce the Breach Notification Rule. Applicable state law requirements should also be assessed before adjusting privacy practices based on DHHS and OCR’s enforcement discretion notifications.
• OCR’s Enforcement Discretion Notifications Do Not Preclude Investigations. DHHS and OCR’s notifications only waive OCR’s ability to obtain penalties—not its ability to investigate potential HIPAA violations. Patient complaints to OCR that do not obviously raise COVID-19 response situations may still lead to burdensome and costly investigations. Continuing to follow HIPAA-compliant practices as much as possible may help avoid patient complaints. Additionally, documenting implementation of relevant enforcement discretion notifications may help efficiently address OCR inquiries.

Conclusion While DHHS and OCR’s enforcement discretion notifications provide welcome flexibility for health care providers and business associates to respond to the COVID-19 pandemic, those notifications have important limitations and do not eliminate all risks of altering privacy practices to respond to the pandemic.