The U.S. Department of Health and Human Services (HHS) has issued a number of critical notices in connection with the application of the Health Insurance Portability and Accountability Act (HIPAA) and the use, disclosure and protection of protected health information (PHI) to issues that have arisen in connection with the COVID-19 pandemic. In all instances, HHS has reiterated that the requirements of the HIPAA Privacy, Security and Breach Notification Rules remain in force; however, in certain circumstances, HHS has exercised its discretion to waive sanctions and penalties or refrain from initiating enforcement actions for an entity’s failure to comply with such requirements. HHS has also released practical guidance to highlight the application of certain HIPAA requirements to real-life scenarios that have become common in the midst of the COVID-19 pandemic.

On March 13, 2020, the HHS Secretary issued a Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (SSA). Of particular note, HHS will waive sanctions and penalties for violations of certain provisions of the HIPAA Privacy Rule that occur within 72 hours of a hospital initiating its hospital disaster protocol. The waiver applies to the requirement to obtain a patient’s agreement to speak with family members or friends involved in a patient’s care; the requirement to honor a patient’s request to opt-out of a facility’s directory; the requirement to distribute the notice of practice practices; and the patient’s right to request privacy restrictions and confidential communications.

On March 16, 2020, HHS – Office of Civil Rights (“OCR”) issued the COVID-19 and HIPAA Bulletin. This bulletin includes overviews of disclosures for purposes related to treatment and public health activities, disclosures for notification purposes, disclosures to family, friends, and others involved in an individual’s care, disclosures to prevent or lessen a serious and imminent threat, and disclosures to the media or others not involved in the individual’s care. OCR also reinforced need to protect PHI and minimize the disclosure of PHI to the amount necessary to accomplish the intended purpose.

OCR published a notification on March 17, 2020, and clarifying guidance on March 20, 2020, that it will be exercising its discretion and refraining from imposing penalties on covered health care providers for noncompliance with HIPAA’s Privacy, Security and Breach Notification Rules in connection with the good faith provision of health care that, in the provider’s professional judgment, can be delivered via telehealth, regardless of whether or not the telehealth services relate to the treatment of COVID-19.

On March 18, 2020, HHS shared Defending Against COVID-19 Cyber Scams, a bulletin from the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security. Specifically, CISA warns individuals to be wary of emails with potentially malicious attachments or links to fraudulent websites, and encourages individuals to use trusted sources, such as legitimate government websites, when looking for accurate and up-to-date information on COVID-19, refrain from revealing personal or financial information in an email, and avoid charity scams by verifying a charity’s authenticity before making donations.

On March 24, 2020, OCR released a set of Frequently Asked Questions to clarify when covered entities are permitted under HIPAA to release patient PHI to law enforcement, paramedics, first responders and public health authorities. OCR confirmed that covered entities may, in particular circumstances, disclose PHI about an individual who has been infected or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities so that first responders can take extra precautions or use personal protective equipment.

TIP: Health care providers should continue to monitor guidance from HHS throughout the pandemic to better understand how they may use and disclose HIPAA, and where OCR may be declining to initiate enforcement actions due to non-compliance with HIPAA, in these unprecedented circumstances.