Updated March 26, 2020
Map from The New York Times, March 26, 2020, shows at least 68,534 reported cases in 50 states and the District of Columbia – Note from NYT: the map shows the known locations of coronavirus cases by county. Circles are sized by the number of people there who have tested positive, which may differ from where they contracted the illness. Some people who traveled overseas were taken for treatment in California, Nebraska and Texas. Puerto Rico and the other U.S. territories are not shown. Sources: State and local health agencies, hospitals and the C.D.C. Data as of Thursday morning, March 26. See Coronavirus Map: Tracking the Global Outbreak
Key Takeaway for HIPAA Compliance
HIPAA privacy remains in effect with some temporary modifications you must know to protect you and your patients.
COVID-19 Exploded Over Eight Weeks
In the United States, the first case was reported on January 21, in Washington state. Since then, reported cases have grown exponentially:
- March 3 – 68 cases in 15 states
- March 9 – 566 cases in 36 states
- March 16 – 4,312 cases in 49 states
- March 18 – 5,881 cases in 50 states
- March 23 – 33,018 cases in 50 states
- March 25 – 59,502 cases in 50 states
- March 26 – 68,534 cases in 50 states
New York state accounts for more than half of the country’s known coronavirus cases.
These numbers increase every hour, so will be higher by the time you read this, for coming weeks.
It’s worth noting that these are reports of positive test results. Most experts believe these numbers undercount the actual number of cases because of the shortage of test kits.
A National Emergency and a Declaration from U.S. Health Secretary Alex Azar
A series of declarations and announcements have been issued since January 31, when U.S. Department of Health and Human Services Secretary Alex Azar declared a public health emergency.
The President declared a national emergency on Friday March 13, various states and municipalities have been taking stronger actions on their own, on Sunday the 15th the Centers for Disease Control and Prevention (CDC) advised against gatherings of 50 or more, nationwide, for at least eight weeks. On Monday afternoon the President advised against gatherings of 10 or more.
Health Secretary Alex Azar has now issued the HIPAA waiver for hospitals, effective March 15 . The OCR Bulletin regarding HIPAA and COVID-19 is here.
Then on March 17, 2020, OCR issued a much broader notice about HIPAA, described as a “Notification of Enforcement Discretion in Telehealth“, to ease HIPAA enforcement for all covered providers, not just hospitals, in connection with telehealth services. More below.
The March 13 national emergency declaration contains a number of provisions, including funding for Federal Emergency Management Agency (FEMA) response. It allows modifications or waivers of certain regulations under Medicare, Medicaid and other programs. It also will help expand capacity at hospitals and reduce other regulations that could slow emergency response.
NEW as of March 17, 2020
CMS, Telehealth and HIPAA
Telehealth services will become more widely available for Medicare recipients during the COVID-19 outbreak because CMS is allowing for reimbursement for office, hospital and other visits furnished via telehealth, starting March 6, 2020. More details can be found here.
COVID-19 and HIPAA Waivers for Telehealth
“OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.” (March 17, 2020)
All health care providers are encouraged to use more telehealth, to allow people to stay home. This new Notice says that health care providers may use apps for video chats, “including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
Patients should be told that such apps present potential privacy risks, and “providers should enable all available encryption and privacy modes when using such applications.” Finally, providers should use vendors who are HIPAA compliant, and enter business associate agreements with them. Read the Notification in full for all the details.
NEW as of March 21: FAQs on Telehealth and HIPAA
Changes and new guidance are coming at a rapid pace. On Saturday, March 21, the Office for Civil Rights provided some clarification about HIPAA and telehealth with a set of Frequently Asked Questions – the link is here: FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
What is the Normal HIPAA Waiver in a Public Health Emergency?
For hospitals who have a disaster protocol, OCR will waive certain sanctions and penalties under the HIPAA Privacy Rule. There are no similar waivers for non-hospital covered entities. The word “normal” is used, because OCR has issued this same waiver year after year during natural disasters, like hurricanes. The special changes under COVID-19 are new. And, you can review how HIPAA applies in public health emergencies even without waivers in last week’s blog. The OCR Bulletin on HIPAA and COVID-19 also reviews those rules.
Sanctions and penalties are waived against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- the requirement to honor a request to opt out of the facility directory.
- the requirement to distribute a notice of privacy practices.
- the patient’s right to request privacy restrictions.
- the patient’s right to request confidential communications.
The waiver applies to the geographic area in the President’s declaration, which is nationwide, something we have not seen before. In recent years when the HIPAA waivers were triggered they applied to a smaller geographic area affected by a natural disaster like a hurricane. The waiver is limited in time, up to 72 hours after a hospital implements its disaster protocol.
Best Sources of Information About COVID 19
Stay current on COVID-19 at cdc.gov and your local and state public health department websites. Beware rumors and fear tactics. Stay vigilant with cybersecurity defenses and review your HIPAA Risk Analysis-Risk Management Plan.
Many people tend to be vulnerable during a crisis, thinking fast in a stressful situation, so slow down, think before you click on emails and attachments, and don’t forward emails that contain suspect information or are from an unverified source.
HIPAA Help is a Phone Call or Email Away
We are staffed – ready to help, working from home, but available. We are monitoring developments under HIPAA law 7 days a week, and will update the blog ASAP with changes you need to know.
For non-hospital covered entities and business associates, you can review how HIPAA law applies during an emergency, even without the waivers, at last week’s blog, HIPAA Privacy and Coronavirus.
For providers of all kinds, telehealth may be an option for you. Make sure you have a business associate agreement with the telehealth application. Call us if you need guidance.
Take a deep breath, remember this is temporary, and if you are still stressed about HIPAA and wondering how to set priorities and maintain your HIPAA compliance program, we can answer questions – you don’t need to be a customer of The HIPAA E-Tool®.
In time, we will all get back to lives not governed by COVID-19 updates every ten minutes.