Office for Civil Rights COVID-19 Updates on HIPAA and Anti-Discrimination Laws

Limited Waiver of HIPAA Sanctions and Penalties

Although compliance with the HIPAA Privacy Rule¹ is not suspended during a public health or other emergency, pursuant to the Project Bioshield Act of 2004² and Section 1135(b)(7) of the Social Security Act, if the President has declared an emergency or disaster and the Secretary of HHS has declared a public health emergency, the Secretary of HHS may waive certain sanction provisions of the HIPAA Privacy Rule. In its  COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency (Section 1135 Waiver Bulletin)³ issued on March 15, 2020, OCR announced that HHS Secretary Alex Azar exercised his authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

• the requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 C.F.R. § 164.510(b));
• the requirement to distribute a notice of privacy practices (45 C.F.R. § 164.520);
• the requirement to honor a request to opt out of a hospital’s directory (45 C.F.R. § 164.510(a); and
• the patient’s right to request privacy restrictions or confidential communications (45 C.F.R. § 164.522).

The waiver was effective on March 15, 2020, and is limited in scope and duration. Specifically, the waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.

Once the Presidential or Secretarial emergency declaration ends, a covered hospital must comply with all Privacy Rule requirements for any patient under its care, even if the hospital’s disaster protocol has been in place less than 72 hours.  The Secretary has previously issued Section 1135 waivers of the HIPAA Privacy Rule in connection with natural disasters such as hurricanes, earthquakes, and the California wildfires, although those waivers had a more limited geographic scope.⁴

Notification of Enforcement Discretion for Telehealth

On March 17, 2020, OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency⁵ (Telehealth Notice) announcing that it will not impose penalties for noncompliance by covered healthcare providers with regulatory requirements of the HIPAA Privacy, Security⁶ and Breach Notification⁷ Rules in connection with the good faith provision of telehealth using non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.  Under the Telehealth Notice, covered healthcare providers may use popular communication applications that allow for video chats, such as Apple FaceTime, Google Hangouts video, or Skype, to provide telehealth without the risk that OCR may seek penalties for noncompliance with the HIPAA Rules, such as failing to have a business associate agreement with the video communication vendor.  To help healthcare providers understand the scope and limitations of the Telehealth Notice, OCR has issued FAQs⁸ which explain key terms in the Telehealth Notice and how covered entities may reduce the privacy risks to individuals when using video chat technology to provide healthcare during the COVID-19 emergency.

The Telehealth Notice was effective as of March 17, 2020, and does not have an expiration date. OCR will issue a public notice when it is no longer exercising its enforcement discretion based on the latest facts and circumstances.⁹

HIPAA Guidance Regarding Disclosures to First Responders and Public Health Authorities During the COVID-19 Emergency

In an effort to reduce the risk that first responders such as law enforcement officers and paramedics may be exposed to the novel coronavirus, on March 24, 2020 OCR issued guidance, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities, addressing the circumstances under which the HIPAA Privacy Rule permits covered entities to disclose the identity of persons who have been exposed to or infected with COVID-19 to first responders and public health authorities without the individual's written authorization (First Responder Guidance)¹⁰ so the first responders may protect themselves from infection.  In the guidance, OCR reiterates that the HIPAA Privacy Rule allows covered entities to disclose the protected health information (PHI) of an individual who has been exposed to or infected with COVID-19 without authorization in the following situations:

• when the disclosure is needed to provide treatment;
• when such notification is required by law, e.g., reporting of confirmed or suspected cases of infectious disease pursuant to state law;
• to notify a public health authority in order to prevent or control spread of disease;
• when first responders may be at risk of infection;
• when the disclosure of PHI to first responders is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public; and
• subject to certain limitations, when responding to a request for PHI by a correctional institution or law enforcement official having custody of an inmate or other individual.

The First Responder Guidance provides examples of how hospitals and other healthcare providers may appropriately share PHI to alert first responders about those individuals who may have COVID-19 so the first responders may protect themselves from exposure.  Finally, the guidance reminds covered entities that except when required by law or for treatment disclosures, covered entities must make reasonable efforts to limit the PHI shared to that which is the minimum necessary for the purpose of the disclosure.

Notification of Enforcement Discretion for Uses and Disclosure of PHI by Business Associates for Public Health and Health Oversight Activities in Response to COVID-19

On April 2, 2020, OCR published a second Notification of Enforcement Discretion announcing that it will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against covered healthcare providers or their business associates for the good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency (Business Associate Notice).¹¹   The Business Associate Notice allows business associates to share COVID-19 related data, including PHI, with federal and state public health authorities and health oversight agencies, such as the Centers for Disease Control and Prevention (CDC) and the Centers for Medicare & Medicaid Services (CMS), and state health departments.¹²  According to Roger Severino, OCR Director, "Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives."¹³ The Business Associate Notice will remain in effect until the Secretary of HHS declares the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first.

Nondiscrimination Bulletins

In addition to assisting healthcare providers with HIPAA compliance, OCR has issued two bulletins reminding healthcare providers of their obligations with respect to applicable civil rights and non-discrimination laws during the COVID-19 pandemic.  In its Bulletin: Civil Rights and the Coronavirus Disease 2019 (COVID) issued on March 16, 2020 (First Civil Rights Bulletin), OCR reminds all entities subject to civil rights authorities, including healthcare providers, that civil rights laws and their implementing regulations still apply during a declared emergency. These laws and regulations prohibit discrimination based on race, color, national origin, disability, age, sex, and exercise of conscience and religion in HHS funded programs.

In issuing the First Civil Rights Bulletin, OCR Director Severino said that HHS is “committed to leaving no one behind during an emergency” and “[p]roviders should not place persons using wheelchairs or needing accommodations at the end of the line for health services during emergencies.”¹⁴

To help address the needs of at-risk populations, OCR suggests that government officials, healthcare providers, and covered entities consider adopting the following practices to help ensure that all segments of the community are served during the COVID-19 emergency:

• use qualified interpreter services to help individuals with limited English proficiency or those who are deaf or hard of hearing;
• make emergency messaging available in languages prevalent in the affected community(ies) and in multiple formats, e.g., audio, large print, and captioning;
• make websites providing emergency-related information accessible;
• use a variety of outlets and resources for messaging to reach persons with disabilities, those with limited English proficiency, and members of diverse religious communities;
• consider and plan for the needs of individuals with limited mobility and individuals with assistive devices or durable medical equipment; and
• stock facilities with items to help individuals maintain independence, such as hearing aid batteries, canes, and walkers.

According to OCR, making “reasonable efforts” to accommodate persons with disabilities will help ensure that all segments of the community benefit from emergency response efforts.

On March 28, 2020, OCR issued a subsequent Bulletin: Civil Rights, HIPAA, and the Coronavirus Disease 2019 (COVID-19) providing additional guidance for healthcare providers to meet their obligations under federal civil rights laws (Second Civil Rights Bulletin).¹⁵  OCR issued the Second Civil Rights Bulletin to remind covered entities that:

• persons with disabilities should not be denied medical care on the basis of stereotypes, assessments of quality of life, or judgments about a person's relative 'worth' based on the presence or absence of disabilities.  Decisions by covered entities concerning whether an individual is a candidate for treatment should be based on an individualized assessment of the patient based on the best available objective medical evidence.¹⁶

OCR Director Severino added, "Our civil rights laws protect the equal dignity of every human life from ruthless utilitarianism."¹⁷

OCR Director Severino reiterated that HHS is committed to leaving no one, including those with disabilities or limited English proficiency, behind in an emergency.  To help healthcare providers meet that goal, the Second Civil Rights Bulletin reminds healthcare providers and covered entities of the steps they need to take under federal civil rights laws to help ensure that all segments of the community are served during the COVID-19 emergency. 

Early Case Resolution

OCR announced on April 8, 2020 its first enforcement action since issuing the Second Civil Rights Bulletin.  OCR resolved a compliance review of the State of Alabama after the state removed "ventilator rationing" guidelines that allegedly discriminated on the basis of disability and age.¹⁸  The compliance review was prompted by a complaint that alleged that Alabama incorporated into its Emergency Operations Plan a 2010 document that allegedly allowed for denying ventilator services to individuals based on the presence of intellectual disabilities and "moderate to severe dementia."  In its announcement of the resolution, OCR said it was concerned that the 2010 criteria could result in discrimination against older persons and those with intellectual disabilities.

Alabama agreed to remove all links to the 2010 document on its websites and to comply with applicable civil rights laws.  The state also agreed that it will not include in future Crisis Standards of Care guidelines similar provisions singling out certain disabilities for unfavorable treatment or use categorical age cutoffs.  Because of Alabama's timely responsive actions, OCR closed its compliance review as satisfactorily resolved and with no finding of liability.  In announcing the resolution, OCR Director Severino said, "Alabama and other states are free to and encouraged to adopt clear triage policies, but they must do so within the guardrails of the law."¹⁹

Take-aways

Although this is a challenging time for all healthcare providers, they must remain mindful of their obligations to protect patients’ rights under HIPAA and nondiscrimination laws. Providers should continue to consult OCR guidance on these evolving issues and monitor when waivers or Notices of Enforcement Discretion will expire.

1. 45 C.F.R. Part 160 and Subparts A and E of 45 C.F.R. Part 164.
2. Public Law 108-276.
3. See https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.
4. See https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html.
5. See https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
6. 45 C.F.R. Part 164, Subpart C.
7. 45 C.F.R. § 164.400 et. seq.
8. See https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.
9. Id., page 3, FAQ #6.
10. See https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.
11. See https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-hipaa.pdf.
12. See April 2, 2020 OCR Press Release, https://www.hhs.gov/about/news/2020/04/02/ocr-announces-notification-of-enforcement-discretion.html.
13. Id.
14. See OS OCR PrivacyList email re: BULLETIN: Civil Rights and the Coronavirus Disease 2019 (COVID-19).
15. See Bulletin:  Civil Rights, HIPAA, and the Coronavirus Disease 2019 (COVID-19), Mar. 28, 2020, https://www.hhs.gov/sites/default/files/ocr-bulletin-3-28-20.pdf. The Notice was later published in the Federal Register; see 85 Federal Register 19392 (Apr. 7, 2020).
16. Id. at page 1.
17. Id.
18. See https://www.hhs.gov/about/news/2020/04/08/ocr-reaches-early-case-resolution-alabama-after-it-removes-discriminatory-ventilator-triaging.html.
19. Id.

About the Author

Elizabeth Hodge, a member of Akerman LLP’s Healthcare Practice Group, concentrates her practice on compliance and regulatory issues affecting healthcare providers and payors and employer-sponsored health plans. She has significant experience with HIPAA and the HITECH Act and assists covered entities and business associates in complying with these laws through the development of policies and procedures, workforce training, analysis and notification of breaches, and assisting with government audits and investigations. In addition, she counsels her clients on regulatory issues, including state and federal fraud and abuse laws. Ms. Hodge is frequent speaker and author on developing issues in healthcare law, and is a member of the Florida Hospital Association’s HIPAA Preemption Analysis Task Force and the former president of the Florida Academy of Healthcare Attorneys.  She may be reached at [email protected].