In response to the COVID-19 public health emergency, the HHS Office for Civil Rights (OCR) has issued a variety of notices, bulletins, and other guidance over the past two months to assist healthcare providers and others in the healthcare industry in the fight to minimize the spread of COVID-19. In our alert dated March 19, 2020, we discussed OCR's notification that it will exercise enforcement discretion and waive HIPAA penalties against covered healthcare providers for their good faith provision of telehealth services during the COVID-19 public health emergency. Last week, OCR issued two additional notices in which it exercises further enforcement discretion by waiving HIPAA penalties during the emergency, which are summarized below.
Business Associate Disclosures for Public Health and Health Oversight Activities
Under HIPAA, Covered Entities are permitted to use and disclose Protected Health Information (PHI) in connection with certain public health and health oversight activities pursuant to 45 C.F.R. § 164.512(b) and 45 C.F.R. § 164.512(d), respectively. Business Associates, on the other hand, are limited by HIPAA and the terms of their Business Associate Agreements (BAAs) with Covered Entities with respect to the uses and disclosures of PHI that they may undertake. While Business Associates are permitted under their BAAs to use and disclose PHI to conduct certain activities or functions on behalf of Covered Entities or provide services to Covered Entities pursuant to their service agreements, these agreements may not contemplate the types of disclosures that Business Associates are being asked to make in connection with the country's response to the COVID-19 emergency.
Thus, on April 2, 2020, OCR announced that it will not impose penalties for noncompliance with HIPAA's limitations on the purposes for which a Business Associate may use and disclose PHI, where a Business Associate makes a good faith use or disclosure of a Covered Entity's PHI for public health activities consistent with 45 C.F.R. § 164.512(b) or health oversight activities consistent with 45 C.F.R. § 164.512(d), provided that the Business Associate informs the applicable Covered Entity that PHI has been disclosed within ten (10) calendar days after the use or disclosure occurs or commences. Examples of such good faith uses and disclosures include:
- Uses and disclosures for or to the Centers for Disease Control and Prevention (CDC) or a similar state public health authority for the purpose of preventing or controlling the spread of COVID-19; and
- Uses and disclosures for or to the Centers for Medicare and Medicaid Services (CMS) or a similar state health oversight agency for the purpose of overseeing and providing assistance for the healthcare system as it relates to the COVID-19 response.
Business Associates must comply with the implementation specifications set forth at 45 C.F.R. § 164.512(b) and 45 C.F.R. § 164.512(d), which, as written, apply only to Covered Entities, when undertaking such uses and disclosures. Business Associates must also comply with all other applicable aspects of the HIPAA Privacy, Security, and Breach Notification Rules when engaging in these uses and disclosures, such as ensuring secure transmission of electronic PHI to the public health authority or health oversight agency. Business Associates, however, should exercise caution. For example, the guidance does not shield Business Associates from possible breach of contract claims.
OCR's waiver of enforcement discretion was effective as of April 2, 2020 and will continue for the duration of the public health emergency.
Community-Based Testing Sites
On April 9, 2020, OCR announced HIPAA enforcement discretion to support covered healthcare providers and their Business Associates that operate Community-Based Testing Sites (CBTS) during the COVID-19 public health emergency, which include mobile, drive-through, or walk-up sites that provide only COVID-19 specimen collection or testing services. Namely, OCR will not impose penalties for noncompliance with HIPAA against such entities in connection with their good faith participation in the operation of a CBTS. This notification of enforcement discretion is effective immediately but will have retroactive effect to March 13, 2020.
Even though it will not impose penalties for violations of HIPAA that occur in the good faith operation of a CBTS, OCR "encourages" CBTS to implement reasonable safeguards to protect the privacy and security of patients' PHI, such as:
- Complying with HIPAA's minimum necessary rule when using and disclosing PHI;
- Setting up canopies or similar opaque barriers at a CBTS to provide some measure of privacy to the patients while their samples are being collected;
- Controlling foot and car traffic to create adequate distancing at the point of service;
- Establishing a "buffer zone" to prevent the public and members of the media from observing or filming patients who approach a CBTS, and posting signs prohibiting filming;
- Using secure technology at a CBTS to record and transmit electronic PHI; and
- Posting a Notice of Privacy Practices or information about how to find the Notice of Privacy Practices at the CBTS.
OCR noted that this waiver does not apply to covered healthcare providers or their Business Associates when they are performing non-CBTS activities, including the handling of PHI outside of the operation of a CBTS. Additionally, the waiver does not apply to health plans or healthcare clearinghouses when they are performing health plan and clearinghouse functions.
If you have any questions regarding this client alert, or if you would like assistance with your organization's response to the COVID-19 public health emergency, please contact a member of Venable's Healthcare Practice Group.