The COVID-19 pandemic caused many changes in our society and the policies. U.S. healthcare system had to adapt to the new reality by restructuring several aspects of its operation, including the nation’s most crucial health privacy law, the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was designed back in 1996 to improve the nation’s healthcare system’s efficiency and effectiveness and to protect the privacy of health information. 

In this article, we summarize the actions of OCR in response to the pandemic and how they affect HIPAA compliance for healthcare providers. 

Can HIPAA Be Waived During COVID-19 Pandemic? 

COVID-19 has forced the Human Services Office for Civil Rights (OCR) to issue various guidance documents to relax HIPAA compliance in specific situations. The primary purpose of these waivers is to make sure that healthcare providers can still effectively respond to the pandemic and public health emergencies. OCR gave more flexibility to healthcare providers in how they share protected health information during the spread of COVID-19.  

In a few words, OCR waived hospital compliance with the HIPAA privacy rules only in particular circumstances and outlined new HIPAA regulations for telehealth services. 

The compliances included in the waiver are: 

  • The obligation to have a patient’s agreement before speaking with family members or friends involved in the patient’s care. 
  • The right of the patient to ask for privacy restrictions 
  • The patient’s right for confidential communication 
  • Honoring a patient’s request to opt-out of the medical facility directory. 
  • Privacy practices notice distribution. 

What Does HIPAA Waiver Mean for Healthcare Providers? 

The section 1135 HIPAA waiver took effect on the 15th of March 2020. However, even without this waiver, the HIPAA Privacy Rule outlined specific purposes and conditions for health providers to share patient information. The waiver was also limited to hospitals and excluded other healthcare providers. 

The section 1135 waiver only applies in the following cases: 

1) If the hospital is located in the emergency area identified in the public emergency declaration (in case of COVID-19 it is the entire United States) 

2) If the hospital instituted a disaster protocol and for up to 72 hours from the time the protocol was implemented. 

The hospital must return to full HIPAA compliance after 72 hours, even if there are still patients under care. If the public health emergency or the national health emergency is terminated, the health provider must revert to full HIPAA compliance, even if the 72 hours period is not yet over. 

Moreover, the hospital’s actions under this waiver should not discriminate against patients based on their ability to pay or their source of funds. 

Under the HIPAA waiver, healthcare providers can share information about patients infected with COVID-19 or exposed to the virus. Providers can share this information with paramedics, law enforcement, and other first responders. In certain circumstances, the waiver does not require providers to obtain a patient’s authorization to share it. 

OCR insights help medical practices define the circumstances where sharing this type of data is allowed.  

Telehealth Services and Notifications of Enforcement Discretion

The initial waiver, issued on the 13th of March 2020, was very narrow and had a minimal impact. For example, it did not apply to healthcare providers other than hospitals. Telehealth services facilitating social distancing were still limited to the usage of technologies that complied with HIPAA security rules. 

OCR recognized that the 1135 waiver did not offer enough flexibility to telehealth providers. So on the 17th of March 2020, OCR issued the first and most crucial notification of enforcement discretion. The primary purpose of it was to help telehealth providers deliver their services more efficiently. 

OCR allowed telehealth providers to use technologies that are not HIPAA compliant regardless of whether the health provider suspects a patient to have COVID-19. OCR would no longer sanction telehealth providers acting in good faith for non-compliance with privacy, security, and breach notification regulations. 

The only limitation is that the technologies used for telehealth services must be non-public facing. 

Here is the list of tools that can providers can use facilitate communication with telehealth patients: 

  • Updox
  • Skype for Business
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet

If you are a telehealth services provider, OCR encourages you to take these steps to protect the patients’ privacy and security. 

  • Let your patients know about security risks that third-party applications can introduce
  • Enable “all available encryption and privacy modes when using such applications.” 
  • Make sure that the conversation takes place in private space to avoid others overhearing it. 
  • Even when using third-party technologies, keep patients’ records accurate and complete by logging the interactions in the patient’s medical history.  

It is important to note that the waiver does not suspend the HIPAA Privacy Rule, although it provides some flexibility.

Long-Term Effects of HIPAA Privacy Rule Waiver

Beyond compliance issues caused by the COVID-19 pandemic, the changes to HIPAA can have a long term effect. 

The increased demand for telehealth services during the pandemic is here to stay. Many patients appreciate the convenience and safety of being in the comfort of their own home while seeing a healthcare practitioner. 

As a result, on June 15, 30 senators signed a letter to make the temporary telehealth flexibilities permanent. Apart from permitting third-party technologies, the letter is asking to allow telehealth practitioners to provide services to new patients without a signed notice of privacy practices. 

In a post-pandemic world, congress and HHS will have to decide on keeping certain HIPAA privacy requirements and waivers.