Some impacted healthcare entities, tasked with complying with myriad state and federal rules pertaining to privacy, may be aware that certain HIPAA privacy regulations have been relaxed due to the COVID-19 outbreak. Despite this, these entities should be aware that enforcement of certain HIPAA obligations continues.
The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act, to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the “HIPAA Rules”). On March 15, 2020, the U.S. Secretary of HHS, Alex Azar, issued a limited waiver of certain provisions of the HIPAA Privacy Rule in order to address additional challenges placed on healthcare providers during the national emergency. Secretary Azar exercised the authority to waive sanctions and penalties against a covered hospital that fails to comply with limited provisions of HIPAA. The provisions that were waived include but are not limited to the following:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patients care (45 CFR § 164.510(b));
- the requirements to honor a request to opt out of the facility directory (45 CFR § 164.510(a));
- the requirement to distribute a notice of privacy practices (45 CFR § 164.520);
- the patient’s right to request privacy restrictions (45 CFR § 164.522(a)); and
- the patient’s right to request confidential communications (45 CFR § 164.522(b)).
HHS has also specified that OCR will utilize its enforcement discretion by not imposing penalties for noncompliance with the HIPAA rules requiring covered providers in connection with the good faith provision of telehealth during the COVID-19 pandemic, in an effort to bolster telehealth utilization.
However, healthcare providers, plans, and others are still required to follow all other HIPAA requirements, including the Minimum Necessary Rule (45 CFR § 164.502(b), 164.514(d)). Under the Minimum Necessary Rule, covered entities are required to limit unnecessary or inappropriate access to and disclosure of protected health information. This requirement applies today, despite the burden this may place on healthcare providers and other healthcare entities during the current national emergency.
Heather Claus and Aaron Claxton are healthcare attorneys at Wilke Fleury. Their practices include assistance with health care service plans, insurance regulatory matters and healthcare litigation.