HIPAA Blog

[ Tuesday, May 12, 2020 ]

 

I keep getting this question: during the course of the pandemic, hasn't OCR revised HIPAA to allow a lot of different uses and disclosures that were not permitted before?

The answer is No. 

What has OCR done?  Well . . . 

So, basically there have been 7 different announcements (addressing 6 topics) from HHS/OCR about HIPAA since the pandemic began.  [There was actually one earlier but it was very limited in scope (waiver of penalties against hospitals that don’t get NoPP’s out in time and other niceties because they are in emergency mode operations, but the relief is only good for 72 hours.  That one’s pretty useless and pretty much forgotten.]

Anyway, the announcements were:
  1.        Enforcement discretion for providers who use Skype/FaceTime during the pandemic
  2.       Guidance (FAQs) about the Skype/FaceTime enforcement discretion rules
  3.        Guidance to help first responders get PHI about infected individuals
  4.        Bulletin on existing Civil Rights Laws and HIPAA flexibilities
  5.        Enforcement discretion to allow BAs to directly disclose PHI to public health authorities
  6.        Enforcement discretion for community-based testing sites during the pandemic
  7.        Guidance on restrictions on providers granting media access to their facilities


The first 2 deal with providers being able to use non-public-facing apps to conduct remote audio-video patient treatment encounters. #3 clarifies how HIPAA allows covered entities to disclose PHI to first responders, and the data-sensitive ways to do so.  #4 makes clear that covered entities and others can’t discriminate in the provision of healthcare based on Covid-19 status.  #5 allows business associates to disclose PHI to public health authorities and health oversight agencies (covered entities can do so, but the pathway for doing so is less clear for business associates) and #6 states that OCR will not punish covered entities that run testing sites if those sites are not as data-protective as a regular office setting.  #7 is designed to remind covered entities of the several prior HIPAA enforcement actions against hospitals that allowed reality-TV film crews onto their premises; the pandemic is newsworthy, and video of crowded hospital hallways is compelling, but patients who might be identified in the video still have privacy rights.

Note that none of these are revisions to HIPAA, new regulations, or anything of the sort.  They are either enforcement discretion or guidance; the "guidance" is just explaining the rules, and the "enforcement discretion" is just saying that OCR will grant covered entities the benefit of the doubt if they act in good faith in a way that might have been questionable (but not necessarily illegal) in “ordinary” times.  For example, in ordinary times a healthcare clinic would not run a testing center in its parking lot, where the general public can see who is in the car and read license plate numbers, due to privacy concerns; however, it would not be a violation of HIPAA if doing so were otherwise reasonable, such as in an extreme situation, in a restricted-access area, or where other privacy protections could be put in place.  

None of this changes a single word of HIPAA.  Rather, all of these pronouncements are instances of OCR pointing out the flexibility and reasonableness of HIPAA, and how it allows for different levels of protection when circumstances change; what is not reasonable in ordinary times may be reasonable during a pandemic.  Because there may be confusion, and covered entities may put such a great (and unreasonable) emphasis on privacy that effective patient care is compromised, OCR is attempting to put minds at ease and allow less-protective actions in extraordinary conditions.

OCR would not call these actions a relaxation of standards or a change in the rules.  Rather, what OCR has offered is a clarification that the same standards as before apply (i.e., reasonableness), but that the current pandemic conditions present a different set of conditions, such that actions and operations that would be unreasonable in ordinary circumstances might be reasonable during these extraordinary circumstances.  HIPAA has not changed; it is exactly the same, and in fact was designed to remain the same in changing circumstances.  When the circumstances change, the definition of reasonable changes. 

Jeff [1:04 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template