Privacy and Compliance Considerations for Health Care Providers during the COVID-19 Emergency

04/09/2020 / Matthew Bergeron

The ongoing COVID-19 pandemic has thrown economic and health care systems into disarray across the globe. In the United States, hospital systems and departments of health have scrambled to identify ways to decrease the spread of the infection while preparing the health care system for the onslaught of patients that overwhelmed hospitals in other counties. As part of that effort, significant attention has been devoted to the ongoing role of existing privacy regulations and various adaptations that could support the remote provision of health care services.

Allowable Releases without Consent Under HIPAA

In early February, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) responded to increased concern over the global spread of COVID-19 by issuing an informational bulletin advising HIPAA covered entities and their business associates of the ways in which patient information can be shared without written consent under the HIPAA Privacy Rule in response to an outbreak of infectious disease. Specifically, the bulletin noted that:

The Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:

  • To a public health authority such as the CDC or a state or local health department;

  • At the direction of a public health authority;

  • To persons at risk of contracting or spreading a disease or condition otherwise authorized by law to prevent the spread of the disease; and

  • To anyone necessary to prevent a serious and imminent threat any way consisted with applicable law and provider ethics.

The bulletin also made a point to note that the Privacy Rule remained in force in times of emergency and the “minimum necessary” standard for use and disclosure still applied. The full bulletin can be found here.

Allowable Platforms for Telehealth

On March 17, 2020, OCR announced that, effective immediately, it would exercise enforcement discretion and waive potential penalties for HIPAA violations that may occur as a result of covered entities providing patient care through “every day communications technologies” during the COVID-19 emergency. Specifically, OCR stated that covered entities may use “any non-public facing remote communication product that is available to communicate with patients.”

The guidance continued noting that popular video applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype could all be used to provide telehealth without risk of penalty from OCR. The guidance also stated that applications such as Facebook Live, Twitch, TikTok, and similar video applications were not to be used as they were public-facing.

Lastly, OCR recommended that providers seeking additional privacy protections use video communications products from vendors that are HIPAA compliant and who will enter into HIPAA business associate agreements. The full guidance, as well as a list of such providers, can be found here.

Minnesota Legislature Expands Telemedicine

On March 17, 2020, the Minnesota Gov. Tim Walz signed into law legislation which amended state telemedicine statutes to allow the “origination site” (the site where the care was being given) to include a patient’s home. Previously state law required that a patient be in a doctor’s office or other clinic in order to receive telemedicine services from a remote provider.

By expanding where the patient could be to receive reimbursable telemedicine services, the Legislature sought to ensure the basic primary and behavioral health care services could be provided safely during the COVID-19 emergency. This expansion of telemedicine services in Minnesota is temporary, however, as the changes are set to expire on February 1, 2021.