The COVID-19 pandemic did not result in any long-lasting adjustments to HIPAA, but it has seen unparalleled flexibilities presented on a short-term basis to make it less difficult for healthcare organizations and business associates that are fighting against COVID-19.
During emergency cases like disease outbreaks, HIPAA Rules continue to be in effect, and the prerequisites of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule stay unchanged. Nevertheless, enforcement of compliance may be lenient.
OCR has declared three Notices of Enforcement Discretion in 2020 and one in 2021 due to the COVID-19 pandemic, which waived penalties and sanctions for some HIPAA violations throughout the COVID-19 countrywide public health emergency.
The Notices of Enforcement Discretion
Good Faith Telehealth Remote Communications throughout the COVID-19 Countrywide Public Health Emergency
OCR announced the first Notice of Enforcement Discretion regarding COVID-19 on March 17, 2020, and relates to the good faith provision of telehealth services. OCR is waiving possible fines for HIPAA violations by healthcare companies that give virtual care to patients by means of daily communications technologies for the duration of the COVID-19 nationwide public health emergency.
What this means is healthcare organizations are allowed to use daily communications systems to deliver telehealth services to patients, even when those tools would not usually be regarded as completely HIPAA compliant.
Platforms for example Skype, FaceTime, Zoom, and Google Hangouts video may be utilized in the good faith provision of telehealth services to patients without charges throughout the public health emergency. Nonetheless, public-facing platforms like TikTok and Facebook Live should not be used.
Good Faith Uses and Disclosures of PHI by Business Associates Involving Public Health and Health Oversight Activities
On April 2, 2020, OCR made an announcement that it will exercise enforcement discretion and won’t impose sanctions and penalties on business associates of HIPAA-covered entities for uses and disclosures of PHI involving public health and health oversight activities. HIPAA do not allow these uses and disclosures except if a business associate agreement (BAA) permits the disclosures. Throughout the public health emergency, BAs won’t be penalized for these uses and disclosure, so long as they inform the covered entity following the event, in 10 days after the use or disclosure of PHI.
Involvement in the Operation of Community-Based Testing Sites Throughout the COVID-19 National Public Health Emergency
OCR announced on April 9, 2020 that it will exercise enforcement discretion for HIPAA Rules non-compliance relating to the good faith participation in the operation of COVID-19 testing sites and will avoid imposing sanctions and penalties on CEs and BAs at the drive-through, walk-up, and mobile areas.
The Notice of Enforcement Discretion covers the operation of these locations and all activities that help the gathering of specimens from people only for COVID-19 testing. Although penalties will not be employed, “OCR encourages covered health care providers taking part in the good-faith operation of a CBTS to employ reasonable safeguards to keep safe the privacy and security of the PHI of individuals.
The Notice of Enforcement Discretion is retroactive to March 13, 2020.
Notice of Enforcement Discretion Concerning Online or Web-Based Scheduling Applications for Booking of COVID-19 Vaccination Appointments
OCR announced another Notice of Enforcement Discretion on January 19, 2021, to assist HIPAA-covered entities with the supply of COVID-19 vaccines.
OCR stated HIPAA sanctions and penalties would not be issued on HIPAA-covered entities or their business associates in relation to the good faith use of online or web-based scheduling applications (WBSAs) for setting COVID-19 vaccination appointments.
WBSAs could be employed for booking COVID-19 vaccination visits, even though their usage wouldn’t typically be regarded as totally compliant with the HIPAA Rules (e.g., no business associate agreement).
The Notice of Enforcement Discretion does not cover the use of WBSAs for scheduling vaccination appointments if the WBSA provider has forbidden the usage of its WBSA for making healthcare sessions. Enforcement discretion won’t apply when the WBSA is utilized for anything except for booking COVID-19 visits, for example arranging visits for other medical services or for doing screening for COVID-19 prior to scheduling an in-person healthcare visit.
Any WBSA should have privacy and security safety measures that can be started to make sure the privacy and confidentiality of medical data and OCR urges HIPAA covered entities and their business associates to make certain that safeguards are enforced, for instance, the use of encryption, when possible, adhering to the minimum required standard and activating all privacy controls.
The Notice of Enforcement Discretion took effect on January 19, 2021, and is retroactive to December 11, 2020.