Dispelling the Myths About HIPAA, Telehealth, and the Coronavirus

March 27, 2020

Rachel V. Rose , Rachel V. Rose—Attorney at Law PLLC

Privacy Rule

The Privacy Rule includes an exception for health care providers to report certain diseases or conditions of an individual patient to various state and federal government agencies, such as state health departments or the Centers for Disease Control and Prevention (CDC), for public health activities.[6] In a February 2020 Bulletin, HHS notes,

For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).[7]

The Bulletin also emphasizes limits on disclosing COVID-19 patient-related information.[8]

In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization[.][9]

In addition, requirements for sharing information, including the minimum necessary standard,[10] remain in place.

For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose. In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.[11]

With nearly identical language to the Bulletin that HHS released during Hurricane Harvey in 2017,[12] a subsequent March 2020 HHS Bulletin notes that the Secretary “may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PC 108-276) and section 1135(b)(7) of the Social Security Act.”[13] As did the Bulletin issued during Hurricane Harvey, HHS’ March 2020 Bulletin states:

Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
the patient's right to request privacy restrictions. See 45 CFR 164.522(a).
the patient's right to request confidential communications. See 45 CFR 164.522(b).

When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.[14]

Covered entities, business associates, and subcontractors should continue to follow the requirements of the Privacy Rule. While disclosing information to public health entities is not new, care should also be taken to consult local and state requirements for reporting communicable diseases, as well as adhering to individual state privacy and security laws related to protected health information (PHI).

Teleworking and the Security Rule

Even in emergency situations, the transmission of a patient’s information needs to occur in accordance with the Security Rule. As the HHS February 2020 Bulletin states::

In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.[15]

Organizations should already have in place policies and procedures related to disasters (i.e., natural, manmade, cybersecurity attacks), as well as government-declared emergencies, including Disaster Recovery and Business Continuity Plans. For workforce members who already work remotely, a checklist and attestation, as well as training, should already be in place. For workforce members who typically do not telecommute, organizations should have the individual complete a checklist, verify that the attestations are truthful, provide additional training, and install any software that other remote employees have in place. Checklist items should include secure Wifi and using a room outside of the purview of other family members and friends. Having a cross-cut shredder also is required under the Privacy Rule.[16]

Employers should also keep workforce members up to date on government directives and changes in hours of operation. Ensuring continuing compliance with the Security Rule’s technical, administrative, and physical safeguards is vital to avoiding another crisis—a cybersecurity attack that results in a reportable breach.

Telehealth

On March 17, 2020, CMS issued a waiver under Section 1135 to expand access to telehealth services for Medicare beneficiaries. According to a CMS fact sheet describing the waiver,

[t]elehealth, telemedicine, and related terms generally refer to the exchange of medical information from one site to another through electronic communication to improve a patient’s health. Innovative uses of this kind of technology in the provision of healthcare is increasing. And with the emergence of the virus causing the disease COVID-19, there is an urgency to expand the use of technology to help people who need routine care, and keep vulnerable beneficiaries and beneficiaries with mild symptoms in their homes while maintaining access to the care they need. Limiting community spread of the virus, as well as limiting the exposure to other patients and staff members will slow viral spread.[17]

Prior to the waiver, Medicare only reimbursed for telehealth in limited circumstances, such as requiring the individual receiving the service to be in a designated rural area. The telehealth service also had to be provided at certain medical facilities to be reimbursable.[18]

The waiver, which is effective March 6, 2020, expands Medicare reimbursement for telehealth across the country, including when provided at a patient’s residence. Even before the waiver, Medicare began payments for brief communications, such as virtual check-ins (short patient-initiated communications with a medical professional). Medicare Part B also separately pays medical professionals for E-visits (non-face-to-face, patient-initiated communications through an online patient portal).

The Section 1135 waiver enables Medicare beneficiaries to receive a specific set of services through telehealth, including evaluation and management visits (common office visits), mental health counseling, and preventive health screenings.[19]

With respect to HIPAA, the HHS Office for Civil Rights (OCR) issued a notice of enforcement discretion for telehealth communications during the PHE.[20] Under the notice,

[e]ffective immediately, the HHS Office for Civil Rights (OCR) will exercise enforcement discretion and waive penalties for HIPAA violations against health care providers that serve patients in good faith through everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency.[21]

OCR also states that providers should enable all available encryption and privacy settings when using third-party applications, inform patients of potential privacy risks, and sign a business associate agreement with vendors like Skype.[22] Additionally, medical professionals should have a documented disclaimer that while a patient may elect to have PHI sent through an unencrypted manner, the data may be at risk to a cybersecurity incident.

It is important to note that while OCR will exercise discretion and waive penalties for HIPAA privacy and security violations in certain circumstances with the provision of telehealth, this enforcement discretion does not extend to the creation, receipt, maintenance, and transmission of PHI during regular business operations.

Conclusion

While HHS has authorized additional flexibilities during the PHE, it is imperative that providers continue to comply with HIPAA privacy and security requirements. It is also important to note that while the statute does not include a private right of action, HIPAA has been successfully used as the basis of common law negligence cases across the country,[23] as well as class actions.[24] If a provider is acting in good faith, then for purposes of telehealth, the likelihood of a successful lawsuit is diminished. Medical professionals, health care workers, and patients alike also must remain vigilant and take precautions against scams related to COVID-19, as the Cybersecurity and Infrastructure Security Agency (CISA) has warned.[25] Finally, providers should exercise care when rendering telehealth services, not only for purposes of HIPAA, but also in terms of substantiating the applicable service with documentation for medical necessity and mode of transmission of the visit.

About the Author

Rachel V. Rose—Attorney at Law, PLLC (Houston, TX)—advises clients on health care, cybersecurity, and qui tam matters. She also teaches bioethics at Baylor College of Medicine. She has been consecutively named by Houstonia Magazine as a Top Lawyer (Health care) and to the National Women Trial Lawyer’s Top 25 and National Trial Lawyers Top 100. She can be reached at [email protected].

[1] WHO, WHO Director-General’s opening remarks at the media briefing on COVID-19 (Mar. 11, 2020), https://www.who.int/dg/speeches/detail/who-director-general-s-opening-remarks-at-the-media-briefing-on-covid-19---11-march-2020.

[2] White House, Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (Mar. 13, 2020), https://www.whitehouse.gov/presidential-actions/proclamation-declaring-national-emergency-concerning-novel-coronavirus-disease-covid-19-outbreak/.

[3] Pub. L. 78-410 (Jul. 1, 1944); see HHS, Secretary Azar Declares Public Health Emergency for United States for 2019 Novel Coronavirus, Jan. 31, 2020, https://www.hhs.gov/about/news/2020/01/31/secretary-azar-declares-public-health-emergency-us-2019-novel-coronavirus.html.

[4] Centers for Medicare & Medicaid Services (CMS), Waivers & flexibilities, https://www.cms.gov/About-CMS/Agency-Information/Emergency/EPRO/Resources/Waivers-and-flexibilities (last visited Mar. 23, 2020).

[5] See CMS, 1135 Waiver—At a Glance, https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Downloads/1135-Waivers-At-A-Glance.pdf (last visited Mar. 23, 2020) (emphasis added).

[6] 45 C.F.R. § 164.512(b)(1)(i).

[7] HHS, Bulletin: HIPAA Privacy and Novel Coronavirus (Feb. 2020), https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.

[8] Id.

[9] HHS, Bulletin: HIPAA Privacy and Novel Coronavirus (Feb. 2020), https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.

[10] 45 C.F.R. §§ 164.502(b), 164.514(d).

[11] Id.

[12] HHS, Hurricane Harvey & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Declared Emergency, https://www.hhs.gov/sites/default/files/hurricane-harvey-hipaa-bulletin.pdf (last visited Mar. 24, 2020).

[13] HHS, Bulletin: COVID-19 & HIPAA Bulletin Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency (Mar. 2020), https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.

[14] Id. See also supra note 12.

[15] See supra note 13.

[16] HHS, What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?, https://www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html (last visited Mar. 26, 2020).

[17] See CMS, Medicare Telemedicine Healthcare Provider Fact Sheet, https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet (Mar. 17, 2020).

[18] Id.

[19] Id.

[20] OCR, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, Mar. 17, 2020, https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

[21] See CMS Fact Sheet, supra note 25. See also https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html.

[22] OCR, Notification of Enforcement Discretion, supra note 25.

[23] R.K. vs. St. Mary’s Med. Ctr., Inc.735 S.E.2d 715 (W.V. 2012); Acosta v. Byrum, 638 S.E.2d 246 (N.C. Ct. App. 2006).

[24] In re: Anthem Inc. Data Breach Litig., Case No. 5:15-md-02617 (N.D. Cal. 2017) (ending the case with a $115 million settlement).

[25] CISA, Defending Against COVID-19 Cyber Scams (Mar. 6, 2020), https://www.us-cert.gov/ncas/current-activity/2020/03/06/defending-against-covid-19-cyber-scams.

Cookie Consent