The evolving effects of the novel coronavirus disease (COVID-19) global pandemic have been significant. It is important to be mindful of privacy obligations even as health care providers work to combat the pandemic and employers enact policies to protect workers. Regulators have issued guidance aimed at striking a balance between protecting privacy and facilitating effective treatment. Specifically, the U.S. Department of Health and Human Services (HHS) has announced that it is waiving enforcement of certain provisions of the Health Insurance Portability Authorization Act (HIPAA). Meanwhile, the European Data Protection Board (EDPB) and various data protection authorities (DPAs) issued guidance on how to comply with the General Data Protection Regulation (GDPR) during the pandemic.
The HHS Secretary declared a public health emergency for the entire United States effective as of January 27, 2020 (“Secretarial Declaration”). The Secretary also issued a limited waiver of certain provisions of the HIPAA Privacy Rule (Privacy Rule) for covered hospitals effective on March 15, 2020, and retroactive as of March 1, 2020. Covered hospitals can now share protected health information (PHI) with other health care officials and providers without prior patient authorization in particular instances and within a 72-hour time frame. Additionally, the Office of Civil Rights (OCR), charged with HIPAA enforcement, recently announced that it is relaxing enforcement of certain HIPAA privacy requirements for telehealth services.
The HIPAA Privacy Rule is intended to secure the transmission and disclosure of PHI. With limited exceptions, it generally prohibits covered entities (i.e., health plans, health care providers, and health care clearing houses) and their business associates from sharing PHI without prior patient authorization. Notably, a business associate may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement (BAA). Violation of the Privacy Rule is subject to a variety of sanctions and penalties from HHS. Fines range from $100 to $250,000 per offense, subject to an annual cap of $1.5 million. Some violations also carry a criminal penalty of imprisonment. HHS may issue waivers of the Privacy Rule in times of natural disasters or public health emergencies.
The recent waiver applies to the following provisions of the Privacy Rule:
This waiver applies only to covered hospitals:
All other HIPAA provisions not addressed in the waiver remain in effect.
When the Secretarial Declaration terminates, the waiver expires and is inapplicable for any patient still under a hospital’s care, even if 72 hours have not elapsed since implementation of its disaster protocol.
Even absent the waiver, however, HIPAA has existing exceptions for “emergency situations” when covered entities may disclose PHI without prior patient authorization. For example, covered entities may share relevant protected health data to treat a patient or in the treatment of another patient, and covered entities may share PHI with public health authorities as deemed necessary by the covered entity to further a public health objective. For the same public health purpose, HIPAA permits covered entities to use or disclose PHI to a “person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease,” so long as the covered entity (or public health authority) is authorized by law to transmit that health information, and the PHI is necessary to further an investigation or public health intervention.
Although smart devices are almost ubiquitous in the United States, health care providers have yet to leverage their full capacity to promote telehealth services, such as video conferencing via Apple’s FaceTime. Historically, use of these commercial applications has posed HIPAA compliance challenges because most either do not use a HIPAA-compliant server to transmit their data, or the providers do not have a BAA with the software developer or service provider as required by HIPAA.
OCR’s Notice states that OCR will not impose penalties for noncompliance with HIPAA (including for the lack of a BAA with communication service providers) in connection with providers’ good faith provision of telehealth services during the pandemic, even for services unrelated to COVID-19 (e.g., assessment or treatment of a sprained ankle, dental consultation, psychological evaluation). That is, health care providers may now use private audio or video communication technology to provide telehealth services to patients even if the technologies, or the manner in which they are used by health care providers, are not fully HIPAA-compliant. Notwithstanding this announcement, OCR discourages providers from using applications that it deems public facing, including Facebook Live, Twitch or TikTok.
Providers may use commercially available, non-public applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. If providers opt to use these applications, they are encouraged, but not required, to notify patients that these third-party applications have the potential to introduce privacy risks. Providers are also advised to enable all available encryption and the most restrictive privacy settings when using such products. For additional privacy protections, OCR advises providers to use vendors that are HIPAA-compliant and who will enter into BAAs with the providers. Although it endorses no products, OCR has identified the following service providers that have declared themselves HIPAA-compliant and announced their intent to enter into BAAs with health care providers to facilitate health care services:
In addition to issuing the Notice, OCR recently issued detailed guidance on HIPAA obligations and exceptions that apply during public health emergencies, BAAs (including sample provisions) and HIPAA Security Rule safeguards. HealthIT.gov also has helpful technical information regarding telehealth services. Relatedly, the Centers for Medicare & Medicaid Services (CMS) has temporarily expanded, on an emergency basis, Medicare coverage for telehealth services.
As governments and organizations work diligently to track and contain COVID-19, personal data processing is all but inevitable. Employers likewise face the challenge of maintaining a healthy workforce while protecting the privacy of infected employees. GDPR, widely considered to be the most restrictive privacy law, continues to be applicable and many data protection authorities have issued helpful guidance on how to comply during the pandemic.
The European Data Protection Board (EDPB) is an independent European body that, among other things, promotes uniform application of the GDPR, issues guidance on interpretation of the GDPR and adjudicates disputes concerning cross-border data processing activities. The EDPB Chair issued a statement dated March 16, 2020, emphasizing the need to ensure protection of personal data during the COVID-19 outbreak. The GDPR notably permits employers and public health authorities to process personal data without the need to obtain consent from the data subject, such as if processing is necessary in furtherance of public health interests, to protect the vital interests of the data subject or another person in an emergency situation, where the data subject is incapable of providing consent, or to comply with a legal obligation (e.g., GDPR Articles 6 and 9). Erasure of personal data upon the data subject’s request may also be excused (e.g., GDPR Article 17).
It is important to check for legislation from Member States and guidance from the data protection authorities (DPAs) that have jurisdiction over an organization’s data or activities. Much of the guidance issued to date highlights employees’ obligation to act upon the guidance of public health authorities, employers’ obligation to protect their employees, and how to balance public interest against privacy considerations. For instance, the Italian DPA adopted a decree giving the government certain “extraordinary” powers, such as permitting certain data processing and simplifying methods for obtaining consent to process data. While an employee may have an obligation to inform his or her employer of any danger to health and safety at the workplace, particularly where the employee’s duties involve contact with the public, employers are warned against generally collecting or specifically requesting health information about the employee or their contacts outside of the work environment because public health authorities are charged with these investigations. France’s DPA issued similar guidance and warns employers against requiring mandatory temperature readings or employing medical questionnaires. Ireland’s DPA, meanwhile, advises employers to be transparent regarding data processing in connection with the pandemic, secure personal data (particularly health information), limit data collection only to what is necessary to prevent or contain the spread of COVID-19, and document the decision-making process regarding measures implemented to manage COVID-19 as they relate to data processing. The United Kingdom’s (UK’s) DPA permits collection of certain limited data from employees and office visitors regarding symptoms and travel history, but warns against collecting more data than necessary. It also announced that organizations will not be penalized for failure to reply to data subjects’ requests to exercise their rights under the GDPR in a timely manner, because organizations understandably have to divert resources to maintain operations or adapt their compliance mechanism. It also advised that text messages and other electronic communication from the government or health professionals do not consist of regulated direct marketing communication. Indeed, the UK DPA encourages using the latest technology to facilitate communication to stem public health threats.
In addition to GDPR requirements, employers should be mindful of similar requirements under United States law. In addition to privacy rights under common law, there are various statutory and regulatory requirements. For instance, the Americans with Disability Act prohibits discrimination against individuals with disabilities, and limits what information employers may request regarding an employee’s health, while the Occupational Safety and Health Administration sets forth workplace safety requirements and reporting obligations that should be balanced against employee privacy.
The public health situation, and guidance regarding privacy obligations, continue to evolve. Each organization should identify relevant regulatory authorities, review guidance issued by those authorities and implement such an informed compliance strategy while balancing business needs.
During this challenging time, it is important that health care providers and employers effectively manage PHI and comply with appropriate regulations. They should also be aware of circumstances when certain regulatory requirements may be relaxed in connection with the ongoing pandemic.
Additional Assistance
For more information on this topic, please contact Anna Mercado Clark at aclark@phillipslytle.com, (212) 508-0466; the Phillips Lytle attorney with whom you have a relationship or any other Phillips Lytle attorney who can assist you during these times of uncertainty.
Receive firm communications, legal news and industry alerts delivered to your inbox.
Subscribe Now