Blog

In this blog, we will deal with the HIPAA waivers and its implications on healthcare industry, public health, and control of the Coronavirus. 

As the pandemic started in 2019, frontline health workers were faced with a lot of inquiries. There was a public demand for more information on the rapidly spreading illness. At the same time, while providing informations, healthcare workers had to be cognizant of the privacy rights of the patients and the HIPAA guidelines. But there was a lot of public anxiety and media scrutiny. 

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) immediately acted and issued a limited waiver of certain HIPAA sanctions and penalties. This allowed the ease of access to data to certain groups. The waivers allow the information providers to understand what material can be revealed and what the conditions are. 

Why Were HIPAA Waivers Announced?

Under certain circumstances, it becomes necessary to share PHI even without patient authorisation. Here are a few scenarios where HIPAA waiver becomes necessary.

1. To prevent a Serious and Impending Threat

PHI can be disclosed when it becomes necessary to counter severe health and safety condition of a person or public. This decision has to be based on a health care provider’s professional judgment. The disclosure can be done to the one who is in power of preventing or lessening the impending threat. This can include family, caregivers, friends and law enforcement agencies.

2. Treating the Patient

Disclosure of PHI may be necessary to treat the patient, or to treat a different patient. ‘Treatment’, here could mean coordinating and managing health care and such services by one or more healthcare providers. 

3. Ensuring Public Health and Safety

PHI can be revealed to Centre for Disease Control (CDC) and Prevention or a state or local health department. Public health authorities are authorized to collect the information so that they can prevent or control disease, injury or disability. The authorities and the person at risk of getting or spreading COVID-19 virus can receive information of prior, current, and prospective COVID patients, as long as the state law authorizes.

4. Notifying Family, Friends, and Others Involved in Care

PHI can also be revealed to Patient’s family, friends, or others involved in patient care, police, press, or public when patient is incapacitated; but only based on professional judgement. Verbal permission is welcome if it is possible. Only necessary and related information can be disclosed in such cases. Patient permission is not required if disclosure is for disaster relief organizations that coordinate with these families, friends etc. 

5. HIPAA Waivers To Help Medical Institutions

Any research would need credible and correct data for results. If there is no access to authentic data, it leads to misleading results. That is why some researchers and covered entities prefer data from records or patient trials. Hence the HIPAA waivers authorize doctors, researchers and other covered entities to use PHI even for non-healthcare purposes like marketing. But the access to data is still limited in these cases. 

6. To Decrease In-Person Visits And Facilitate Telehealth

Penalties were waived off against covered healthcare providers in case they could not provide business associate agreement with video communication vendors. This is a good faith provision allowed during public health emergency to reduce in-person visits and encourage telehealth services.

What Is Covered Under HIPAA Waiver?

The HIPAA waivers from the HHS and OCR aim to quicken data sharing and telehealth to provision safe remote care practices with lesser physician burdens during pandemic. This has helped an increase in telehealth services, lessened in-person visits, and data sharing; but only with a host of specifications that still ensure privacy and security. 

Under HIPAA waivers, ‘covered hospitals’ were exempted from complying with a few provisions of HIPAA Rules. These include:

1. There is a requirement under HIPAA to obtain a patient’s agreement to speak with family members or friends who are active in the patient’s care. This provision has been waived. 
2. The HIPAA requirement to honour a request to opt out of the facility directory has also received waiver.
3. The notice of privacy practice distribution is now covered under the Limited Waivers.
4. Right to request privacy restrictions by patient 
5. Right to request confidential communications by patient

Who Does The HIPAA Waiver Cover?

When the waivers are issued by Secretary, it only applies:

1. In the periods of emergency, identified as emergency areas in public health emergency declaration.
2. The waiver will apply to all those patients, in the hospitals that have set up a disaster protocol.  
3. Till 72 hours from the time when the hospital introduced the disaster protocol.

On termination of Secretarial declaration, a hospital must start complying with all the requirements of the HIPAA Privacy Rule for patients. 

Regardless of this emergency waiver, HIPAA at times allows disclosures, for treatment purposes and to the disaster relief organizations. 

The waivers later allowed the use and disclosure of PHI to Business Associates (BAs) also. This gave Federal public health authorities and other health monitoring agencies, access to data as they needed a rapid access to health data to counter the pandemic. 

Insights into the Lasting Implications of the Waivers

1. OCR stopped imposing penalties over lack of a business associate agreement, especially with video communication vendors on the basis of good faith provision of telehealth services during COVID-19 emergency. This encouraged many popular applications to reach patients. E.g. FaceTime, Google Hangouts video etc. 

Later, the decision was further clarified by stressing the use of private remote communication and end-to-end encryption. 

2. Well along, BAs were allowed to share COVID-19 related data to public health authorities. BAs got greater freedom in coordinating with CDC and CMS in flattening COVID curve.
3. OCR lifted penalties for Community-Based Testing Sites (CBTS). Healthcare providers like large pharmacy chains, and BAs were hence allowed to operate a CBTS during COVID, with certain conditions.
4. PHI of infected or exposed patients can also be shared to enforcement, paramedics, and other first responders without authorization to help them understand the circumstance in which this type of data sharing is allowed.
5. Just because OCR grants certain permissions, it does not mean that covered entity’s security is not a concern. Providers must employ policies to prevent potential legal risks. They must enable all privacy and security options for the telehealth platform they use. There is a guideline to encourage providers to notify patients about the increased risk of the platform used. 
6. There is a need to balance the increased data sharing by employing best practice cybersecurity measures. New risks assessments and vulnerabilities must be addressed in wake of these changes. 
7. HIPAA waivers are applicable only during pandemic but this will fuel a more permanent remote care landscape.
8. The waivers might forever alter the way patient consent is obtained. Under HIPAA, a provider typically must provide a written notice of privacy practice
9. The recent push will fuel the practice of care for patients at home, which could be a lasting implication.

The waivers will have a large impact on healthcare and the need to dictate and consider privacy requirements for technology and security still remains to be addressed. But more importantly, these waivers could be the beginning of a greater shift in the way healthcare will be delivered even after the pandemic has ended.