Health Care Law Blog

In March of 2020, OCR notified providers that it is exercising its enforcement discretion not to impose penalties for noncompliance with HIPAA in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. For example, the guidance permits providers to use popular applications for video conferencing, such as Zoom, FaceTime, Google Hangouts and Facebook messenger.

Providers are still encouraged to use video communication vendors who have stronger security capabilities to prevent data interception and to enter into a business associate agreement with video communication vendors to assure they will protect electronic health information. Additionally, providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

OCR has also provided updated guidance on two specific areas of HIPAA compliance: media coverage of COVID-19 patients and contacting former COVID-19 patients with information on donating plasma. OCR stated that the COVID-19 public health emergency does not impact the protections that prohibit patients’ information from being given to the media. If a patient’s protected health information were to be accessible to the media (for example, through a film crew) the provider would need to obtain a written HIPAA authorization from all applicable patients. The OCR determined that even the patient’s presence in an area of a facility dedicated to treatment of COVID-19 is protected because it reveals information about the patient’s diagnosis. If the provider obtains valid, written HIPAA authorizations from every patient in the area and every patient whose protected health information is accessible, then the media could film areas where COVID-19 patients are being treated.

Recently, OCR has provided insight as to whether a health care provider may use protected health information to contact a patient who has recovered from COVID-19. The guidance indicates that a provider may contact a patient to provide them with information on donating their plasma that contains antibodies to SARS-CoV-2, which are used for treating patients with COVID-19. HIPAA generally prohibits the disclosure of protected health information for marketing purposes without the patient’s authorization. However, the OCR does not consider contacting patients to provide information about donating plasma to be marketing. The OCR guidance further notes that while the health care provider, or one of its business associates, could contact patients for this purpose, the health care provider could not provide the information to a third party or allow a third party to contact patients with information about donating plasma.

In addition to the above, OCR issued guidance on December 18, 2020 that pertains to the use of protected health information in a health information exchange for public health purposes. A health information exchange (“HIE”) is an organization that enables the sharing of electronic protected health information between two unaffiliated entities for treatment, payment, or health care operations. OCR is exercising its discretion and not enforcing penalties on a business associate HIE for disclosing protected health information to a public health authority during the COVID-19 health emergency, even if the business associate agreement does not provide for disclosure. For example, a covered laboratory may report a patient’s COVID-19 test results through a HIE to a public health authority, if the HIE is transmitting the information as a business associate of the covered laboratory. The OCR guidance related to health information exchanges and protected health information is available here.

On January 19, 2021, OCR issued a Notice of Enforcement Discretion indicating that it would not impose penalties for noncompliance with HIPAA requirements related to the use of web-based scheduling application (“WBSA”) vendors to schedule COVID-19 vaccine appointments. The guidance is still being submitted for final publication, but is available here. A WBSA is defined as a non-public facing online or web-based application that provides for scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. OCR recognizes that providers need to quickly and effectively schedule a large number of individuals for vaccination appointments, and permits them to use WBSAs to do so despite the fact that some of the applications may not fully comply with HIPAA. Similar to the use of video communication vendors, OCR recommends providers implement reasonable safeguards when using WBSAs. The Notice of Enforcement Discretion for use of WBSAs is set to last through the COVID-19 nationwide public health emergency.

Members of the Foster Swift health care practice group continue to monitor updates to HIPAA and relevant health care regulations to help providers navigate their responsibilities during the COVID-19 pandemic. Additionally, Foster Swift has its own legal cybersecurity hotline to assist a business or organization that has experienced a data breach or cybersecurity incident. If you have any questions regarding how HIPAA applies to your organization, please contact one of the authors of this article.

While the information in this article is accurate at time of publication, the laws and regulations surrounding COVID-19 are constantly evolving. Please note that the links above to the further guidance may still be under submission to the Office of of Federal Register for publication. Please consult your attorney or advisor to make sure you have the most up to date information before taking action.

• Julie Hamlet | 616.796.2515 | jhamlet@fosterswift.com