The COVID-19 pandemic has not led to any long-term modifications to HIPAA, however, it has seen unmatched flexibilities announced on a non-permanent basis to make it less complicated for healthcare companies and business associates that are battling against COVID-19.
In emergency scenarios like disease outbreaks, HIPAA Rules stay effective and the demands of the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule continue to be the same. Nonetheless, implementation of compliance might be lax.
OCR has launched 3 Notices of Enforcement Discretion in 2020 and 1 in 2021 because of the COVID-19 pandemic, which waived penalties and sanctions for a number of HIPAA violations all through the COVID-19 national public health emergency.
The Notices of Enforcement Discretion are below:
Good Faith Telehealth Remote Communications for the duration of the COVID-19 National Public Health Emergency
OCR introduced the first Notice of Enforcement Discretion relating to COVID-19 on March 17, 2020, and pertains to the honest provision of telehealth solutions. OCR is waiving probable fines for HIPAA violations by healthcare organizations that give virtual care to patients via day-to-day communications systems while in the COVID-19 national public health emergency.
Therefore healthcare companies are authorized to use day-to-day communications solutions to deliver telehealth services to patients, even though those tools would not usually be viewed as completely HIPAA compliant.
Platforms for example Skype, Zoom Facetime, and Google Hangouts video may be employed in the good faith provision of telehealth services to patients with no fine during the public health emergency. Nevertheless, public-facing platforms like TikTok and Facebook Live should never be utilized.
Good Faith Uses and Disclosures of PHI by BAs Relating to Public Health and Health Oversight Activities
On April 2, 2020, OCR declared it will execute enforcement discretion and won’t enforce sanctions and penalties on business associates of HIPAA-covered entities for uses and disclosures of PHI relating to public health and health oversight activities. HIPAA forbids these uses and disclosures except when a business associate agreement (BAA) allows the disclosures. During the public health emergency, BAs won’t be fined for these uses and disclosure, as long as they advise the covered entity right after the event, around 10 days following the use or disclosure of PHI.
Engagement in the Operation of Community-Based Testing LocationsLocations at the Time of the COVID-19 Countrywide Public Health Emergency
OCR made an announcement on April 9, 2020 that it is going to carry out enforcement discretion for HIPAA Rules non-compliance relative to the good faith involvement in the project of COVID-19 testing locations and will abstain from enforcing sanctions and penalties on CEs and BAs at a walk-up, drive-through, and mobile areas.
The Notice of Enforcement Discretion addresses the operation of these locations and all activities that aid the collecting of samples from persons just for COVID-19 testing. Though penalties will not be utilized, “OCR encourages covered health care providers contributing in the good-faith operation of a CBTS to use reasonable safety measures to secure the privacy and security of the PHI of people.
The Notice of Enforcement Discretion is effective from March 13, 2020.
Notice of Enforcement Discretion Relating to Online or Internet-Based Scheduling Applications for Booking of COVID-19 Vaccination Appointments
OCR declared an additional Notice of Enforcement Discretion on January 19, 2021, to aid HIPAA-covered entities with the availability of COVID-19 vaccines.
OCR mentioned HIPAA sanctions and penalties won’t be enforced on HIPAA-covered entities or their business associates with regards to the good faith usage of online or internet-based booking applications (WBSAs) for booking COVID-19 vaccination appointments.
WBSAs could be utilized for scheduling COVID-19 vaccination visits, even when their use wouldn’t typically be deemed as totally compliant with the HIPAA Regulations (for example, no BAA).
The Notice of Enforcement Discretion doesn’t apply to the usage of WBSAs for booking vaccination appointments if the WBSA provider has banned the use of its WBSA for getting healthcare visits. Enforcement discretion won’t be applicable when the WBSA is employed for anything apart from scheduling COVID-19 visits, like setting consultations for other healthcare services or for completing testing for COVID-19 before setting up a face-to-face healthcare consultation.
Any WBSA ought to have privacy and security safeguards that can be set off to make certain the privacy and confidentiality of medical information, and OCR urges HIPAA covered entities and their business associates to make sure that safety measures are put in place, for instance, the usage of encryption, whenever possible, sticking to the least mandatory standard, and initiating all privacy settings.
The Notice of Enforcement Discretion took effect on January 19, 2021, and is retroactive to December 11, 2020.