HIPAA Enforcement Discretion and Preparing for the End of the National COVID-19 Public Health Emergency
Update: On January 30, 2023 the Biden Administration informed Congress that it intends to briefly extend the COVID-19 public health emergency declared under Section 319 of the Public Health Service Act until May 11, 2023, after which the public health emergency will expire.
Update: On January 11, 2023, Secretary Becerra renewed the COVID-19 public health emergency declared under Section 319 of the Public Health Service Act. The public health emergency is now set to terminate after April 11, 2023, unless extended for another 90 day period.
Introduction
Since January 27, 2020, the United States has been under a public health emergency declared under Section 319 of the Public Health Service Act (the “319 PHE”) due to COVID-19. The 319 PHE is currently slated to expire on January 11, 2023, but will likely be renewed for another 90 days. When the 319 PHE terminates, four HIPAA Notifications of Enforcement Discretion (NEDs) will also end. NEDs are issued by the Office of Civil Rights (OCR) within the United States Department of Health and Human Services (HHS). NEDs are a commitment by OCR to not enforce certain legal requirements during an emergency. During the COVID-19 pandemic, these four NEDs have provided important flexibilities and tools for HIPAA covered entities, including local health departments, hospitals, pharmacies, and their partners. Covered entities need to be prepared for when these four NEDs eventually terminate and OCR’s enforcement of the activities covered by the NEDs resumes.
The 319 PHE
The 319 PHE was issued in January 2020 by Alex Azar, the then-HHS Secretary. Public health emergency determinations made pursuant to Section 319 of the Public Health Services Act automatically terminate after 90 days unless renewed by the HHS Secretary. The 319 PHE has been continuously renewed since January 2020 and most recently on October 13, 2022, which means the 319 PHE is next set to expire on January 11, 2023. However, the Biden Administration has committed to providing 60 days’ notice before the 319 PHE ends. That 60 day notification deadline fell on November 12, 2022, which came and went with no announcement from the Biden Administration. Therefore, it is likely that the 319 PHE will not end in January 2023 but will be renewed again.
The Four NEDs: An Overview
OCR is the federal entity within HHS that is responsible for enforcing violations of the Privacy, Security, and Breach Notification Rules under HIPAA and the HITECH Act (the “HIPAA Rules”). OCR’s enforcement authority extends to “covered entities,” which are health plans, health care providers, health care clearinghouses, and business associates as defined under HIPAA. By issuing a NED, OCR lets the public know that it is exercising its enforcement discretion and will not impose penalties for noncompliance with the HIPAA Rules when covered entities are carrying out specific actions covered by the NED.
OCR has issued four NEDs that tie back to the 319 PHE and that will end when the 319 PHE terminates. The NEDs address telehealth, business associates’ use and disclosure of protected health information (PHI), COVID-19 community based testing sites, and web-based scheduling applications for COVID-19 vaccination appointments. My colleague Jill Moore has already written about the NED issued for the use of web-based scheduling applications and her analysis can be read here. The other three NEDs are discussed in the sections below.
Covered entities that are trying to determine whether their activities are covered by a NED are encouraged to read the NED in full and to consult with their own legal counsel. Covered entities that have been relying on any of these four NEDs to carry out their work during pandemic should also begin planning for how they will transition when the 319 PHE and the four NEDs come to an end. Finally, it is important to remember that there are North Carolina and federal laws other than HIPAA that may apply to health information that covered entities need to use or share in the course of their work. The NEDs discussed herein apply only to HIPAA and do not waive or change the requirements and protections imposed by other state or federal laws.
NED for Telehealth
This NED went into effect on March 17, 2020. During the COVID-19 pandemic social distancing, isolation, quarantine, and stay-at-home orders have been useful tools for reducing the spread of disease but have also impacted the availability of in person, non-emergency health care appointments. As a result, telehealth has become an increasingly common way for health care providers to serve their patients without being together in person. Telehealth services offered by covered entities must meet the requirements of the HIPAA Rules. HIPAA-compliant telehealth technology can be costly, especially for individual health care providers and smaller clinics. Although many health care providers had been using telehealth for years before COVID-19, others had to make the transition quickly when the pandemic struck. The NED for telehealth allows health care providers to make good faith use of certain types of telehealth products as a way to remotely deliver care for the duration of the 319 PHE.
Like the other three NEDs related to the 319 PHE, the NED for telehealth is tailored to cover specific covered entities and limited types of activities. I have summarized the key details of the NED for telehealth below:
- This NED applies only to health care providers (not to all covered entities).
- Telehealth services can be audio-only (e.g., telephone) or combination audio-video.
- Although the NED is tied to the 319 PHE, it covers all types of telehealth services (not just those related to diagnosis or treatment of COVID-19). The NED notes that health care providers should exercise their professional judgement to determine when telehealth, rather than in-person services, are appropriate.
- Health care providers’ use of telehealth is only covered by the NED when provided in “good faith.” OCR does not define “good faith” in the NED but has since shared examples of bad faith provisions of telehealth services on its website.
- This NED only covers “non-public facing audio or video” communication products. The NED does not define “non-public facing” but does identify Facebook Live, Twitch, and TikTok as types of public facing applications that are not covered by the NED and should not be used.
- The NED lists popular applications like Apple FaceTime, Facebook messenger video chat, Google Hangouts video, Zoom, and Skype as examples of applications that can be used in a non-public facing manner to deliver telehealth services under the NED.
- OCR encourages health care providers delivering telehealth services pursuant to this NED to notify patients that use of these applications involves privacy risks and to use encryption and other privacy protecting features whenever possible.
NED for Business Associates
This NED went into effect on April 7, 2020. A “business associate” or “BA” is a person or entity that carries out activities or specific functions involving PHI on behalf of or in the course of providing services to a covered entity. (See 45 CFR 160.103 for the full definition of “business associate”). BAs are required to enter into agreements with covered entities called “business associate agreements” or “BAAs.” These agreements specify the BA’s functions and how the BA can use or disclose PHI provided to it by the covered entity. If a BA uses or discloses PHI in a manner not described in the BAA then the covered entity and/or the BA could face enforcement action by OCR.
During the COVID-19 pandemic, health oversight agencies and public health authorities have sometimes asked BAs to provide PHI or use PHI (e.g., for data analysis) to support the COVID-19 response. This NED allows BAs to use and disclose PHI for health oversight and public health activities, subject to certain conditions, even if such uses and disclosures are not described in their existing BAAs. If a BA uses or discloses PHI in a way that is covered by this NED, OCR will not take enforcement action against the BA or the covered entity that provided the PHI to the BA. BAs’ use and disclosure of PHI under this NED is subject to several key conditions, which I have summarized below:
- This NED applies only to BAs whose BAAs do not already permit them to use or disclose PHI to public health and health oversight agencies in accordance with 45 CFR 164.512.
- BAs that use or disclose a covered entity’s PHI under this NED (when such use or disclosure is not already contemplated in the BAA) are limited to using or disclosing PHI for public health or health oversight activities in accordance with 45 CFR 164.512(b) and (d). Additionally, the BA must notify the covered entity within 10 calendar days of when the use or disclosure occurred or commenced (in the case of repeat uses or disclosures).
- BAs using or disclosing PHI under this NED must do so in “good faith.” Although the NED does not define “good faith,” it does include examples of good faith uses and disclosures of PHI that would be covered by the NED. These include uses and disclosures for or to a state or federal public health authority (e.g., the United States Centers for Disease Control and Prevention) “for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b)” or to a state or federal health oversight agency (e.g., the United States Centers for Medicare and Medicaid Services) “for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).”
- This NED does not specifically say that BAs’ uses and disclosures of PHI for public health and health oversight purposes under this NED must be related to the COVID-19 pandemic response. However, the examples of good faith uses of PHI that are described in the NED suggest that OCR intended to narrowly tailor the NED to uses and disclosures that are necessary to carrying out COVID-19 related public health and health oversight activities. Additionally, the emergency that undergirds this NED is the 319 PHE, which was declared due to COVID-19. BAs should carefully assess requests to use or disclose PHI for public health or health oversight purposes to determine whether a request is connected to supporting the COVID-19 pandemic response.
NED for COVID-19 Community Based Testing Sites
This NED was issued on April 9, 2020 and made effective retroactively to March 13, 2020. While this NED is in effect, OCR will not impose penalties against HIPAA-covered health care providers and their BAs for violations of the HIPAA Rules in connection with the good faith operation of a COVID-19 Community Based Testing Site (CBTS). The NED defines CBTSs to include “mobile, drive-through, or walk-up sites that only provide COVID–19 specimen collection or testing services to the public.” Operation of a CBTS includes “all activities that support the collection of specimens from individuals for COVID–19 testing.” The ease with which these mobile, drive-through, and walk-up sites can be set up in a community and outside of a traditional clinic has been important for increasing access to COVID-19 testing over the last few years. At the same time, the unique setup of these testing sites can make it more challenging to maintain patient privacy and protect PHI in these spaces. I have summarized the key details of this NED below:
- This NED applies only to covered health care providers and their BAs when they are participating, in good faith, in the operation of a CBTS. When an entity operates as both a health plan and a provider, the covered entity is covered by this NED only in its role as a health care provider.
- The NED does not apply to non-CBTS activities. OCR provides several examples, including that of a HIPAA-covered pharmacy that participates in the operation of a CBTS in its parking lot. In this example, if PHI is mishandled by pharmacy staff in the pharmacy’s main retail space (that is, not out at the CBTS in the parking lot), then HIPAA violations could apply.
- Once again, OCR does not define “good faith” in this NED, nor does it provide examples of good faith participation in a CBTS. The NED does, however, encourage health care providers and their BAs who are participating in good faith operation of a CBTS to adopt reasonable safeguards to protect patients’ privacy and their PHI, such as using and disclosing only the minimum necessary PHI for treatment; setting up canopies and other physical barriers to protect patient privacy and PHI; controlling foot and car traffic to create distance between patients; creating buffer zones around the CBTSs to reduce the risk of individuals or media filming patients; and posting a Notice of Privacy Practices (NPP) or information about where to find a NPP online in a conspicuous place at the CBTS.
Thinking About the Future
Covered entities conducting work that is covered by one of the NEDs should begin thinking about what they will do when the 319 PHE and the four NEDs terminate. By my observation, the once widespread use of CBTSs for COVID-19 testing has begun to wind down, which may reduce any burden associated with preparing for the end of the NED for CBTSs. Similarly, the demand for COVID-19 immunizations has evolved since the first vaccines were rolled out and several rounds of boosters have become available. In light of the decreased demand for vaccines, covered entities may be relying less and less on web-based scheduling applications to set up vaccine appointments and may be able to integrate scheduling for COVID-19 immunization appointments into their normal workflows. BAs that have been disclosing or using PHI pursuant to the NED for BAs can work with their covered entity partners to amend their existing BAAs, if appropriate, to permit the future use or disclosure of PHI by the BA to or for a public health or health oversight agency for COVID-19 related purposes.
The end of the NED for telehealth may prove especially challenging for certain covered entities to navigate. Unlike the other three NEDs, which were narrowly focused on services that relate directly to COVID-19, the NED for telehealth created flexibilities to support the delivery of both COVID-19-related and non-COVID-19 health services. As a result, providers may have heavily integrated telehealth into their practices and come to rely on telehealth technology that will no longer be allowed when the NED terminates. It is especially important for these providers to start thinking now about how they will transition the telehealth components of their practices when the 319 PHE and the NED for telehealth end. At this time, OCR has issued guidance on audio-only telehealth and the application of HIPAA (outside of a NED), which may be useful to providers that deliver telehealth services by telephone and plan to continue doing so after the NED for telehealth ends.
How to Stay Updated on the 319 PHE and NEDs
Information about renewals of the 319 PHE and the status of other national public health emergency declarations is available here from the Administration for Strategic Preparedness and Response within HHS. OCR has been using this website to post information about NEDs and other matters related to HIPAA and COVID-19. If OCR were to issue additional NEDs related to COVID-19 or the existing 319 PHE then information about the NED would likely be added to the website.
1
Coates’ Canons NC Local Government Law
HIPAA Enforcement Discretion and Preparing for the End of the National COVID-19 Public Health Emergency
Published: 12/01/22
Last-Revised: January 31, 2023
Author Name: Kirsten Leloudis
Update: On January 30, 2023 the Biden Administration informed Congress that it intends to briefly extend the COVID-19 public health emergency declared under Section 319 of the Public Health Service Act until May 11, 2023, after which the public health emergency will expire.
Update: On January 11, 2023, Secretary Becerra renewed the COVID-19 public health emergency declared under Section 319 of the Public Health Service Act. The public health emergency is now set to terminate after April 11, 2023, unless extended for another 90 day period.
Introduction
Since January 27, 2020, the United States has been under a public health emergency declared under Section 319 of the Public Health Service Act (the “319 PHE”) due to COVID-19. The 319 PHE is currently slated to expire on January 11, 2023, but will likely be renewed for another 90 days. When the 319 PHE terminates, four HIPAA Notifications of Enforcement Discretion (NEDs) will also end. NEDs are issued by the Office of Civil Rights (OCR) within the United States Department of Health and Human Services (HHS). NEDs are a commitment by OCR to not enforce certain legal requirements during an emergency. During the COVID-19 pandemic, these four NEDs have provided important flexibilities and tools for HIPAA covered entities, including local health departments, hospitals, pharmacies, and their partners. Covered entities need to be prepared for when these four NEDs eventually terminate and OCR’s enforcement of the activities covered by the NEDs resumes.
The 319 PHE
The 319 PHE was issued in January 2020 by Alex Azar, the then-HHS Secretary. Public health emergency determinations made pursuant to Section 319 of the Public Health Services Act automatically terminate after 90 days unless renewed by the HHS Secretary. The 319 PHE has been continuously renewed since January 2020 and most recently on October 13, 2022, which means the 319 PHE is next set to expire on January 11, 2023. However, the Biden Administration has committed to providing 60 days’ notice before the 319 PHE ends. That 60 day notification deadline fell on November 12, 2022, which came and went with no announcement from the Biden Administration. Therefore, it is likely that the 319 PHE will not end in January 2023 but will be renewed again.
The Four NEDs: An Overview
OCR is the federal entity within HHS that is responsible for enforcing violations of the Privacy, Security, and Breach Notification Rules under HIPAA and the HITECH Act (the “HIPAA Rules”). OCR’s enforcement authority extends to “covered entities,” which are health plans, health care providers, health care clearinghouses, and business associates as defined under HIPAA. By issuing a NED, OCR lets the public know that it is exercising its enforcement discretion and will not impose penalties for noncompliance with the HIPAA Rules when covered entities are carrying out specific actions covered by the NED.
OCR has issued four NEDs that tie back to the 319 PHE and that will end when the 319 PHE terminates. The NEDs address telehealth, business associates’ use and disclosure of protected health information (PHI), COVID-19 community based testing sites, and web-based scheduling applications for COVID-19 vaccination appointments. My colleague Jill Moore has already written about the NED issued for the use of web-based scheduling applications and her analysis can be read here. The other three NEDs are discussed in the sections below.
Covered entities that are trying to determine whether their activities are covered by a NED are encouraged to read the NED in full and to consult with their own legal counsel. Covered entities that have been relying on any of these four NEDs to carry out their work during pandemic should also begin planning for how they will transition when the 319 PHE and the four NEDs come to an end. Finally, it is important to remember that there are North Carolina and federal laws other than HIPAA that may apply to health information that covered entities need to use or share in the course of their work. The NEDs discussed herein apply only to HIPAA and do not waive or change the requirements and protections imposed by other state or federal laws.
NED for Telehealth
This NED went into effect on March 17, 2020. During the COVID-19 pandemic social distancing, isolation, quarantine, and stay-at-home orders have been useful tools for reducing the spread of disease but have also impacted the availability of in person, non-emergency health care appointments. As a result, telehealth has become an increasingly common way for health care providers to serve their patients without being together in person. Telehealth services offered by covered entities must meet the requirements of the HIPAA Rules. HIPAA-compliant telehealth technology can be costly, especially for individual health care providers and smaller clinics. Although many health care providers had been using telehealth for years before COVID-19, others had to make the transition quickly when the pandemic struck. The NED for telehealth allows health care providers to make good faith use of certain types of telehealth products as a way to remotely deliver care for the duration of the 319 PHE.
Like the other three NEDs related to the 319 PHE, the NED for telehealth is tailored to cover specific covered entities and limited types of activities. I have summarized the key details of the NED for telehealth below:
- This NED applies only to health care providers (not to all covered entities).
- Telehealth services can be audio-only (e.g., telephone) or combination audio-video.
- Although the NED is tied to the 319 PHE, it covers all types of telehealth services (not just those related to diagnosis or treatment of COVID-19). The NED notes that health care providers should exercise their professional judgement to determine when telehealth, rather than in-person services, are appropriate.
- Health care providers’ use of telehealth is only covered by the NED when provided in “good faith.” OCR does not define “good faith” in the NED but has since shared examples of bad faith provisions of telehealth services on its website.
- This NED only covers “non-public facing audio or video” communication products. The NED does not define “non-public facing” but does identify Facebook Live, Twitch, and TikTok as types of public facing applications that are not covered by the NED and should not be used.
- The NED lists popular applications like Apple FaceTime, Facebook messenger video chat, Google Hangouts video, Zoom, and Skype as examples of applications that can be used in a non-public facing manner to deliver telehealth services under the NED.
- OCR encourages health care providers delivering telehealth services pursuant to this NED to notify patients that use of these applications involves privacy risks and to use encryption and other privacy protecting features whenever possible.
NED for Business Associates
This NED went into effect on April 7, 2020. A “business associate” or “BA” is a person or entity that carries out activities or specific functions involving PHI on behalf of or in the course of providing services to a covered entity. (See 45 CFR 160.103 for the full definition of “business associate”). BAs are required to enter into agreements with covered entities called “business associate agreements” or “BAAs.” These agreements specify the BA’s functions and how the BA can use or disclose PHI provided to it by the covered entity. If a BA uses or discloses PHI in a manner not described in the BAA then the covered entity and/or the BA could face enforcement action by OCR.
During the COVID-19 pandemic, health oversight agencies and public health authorities have sometimes asked BAs to provide PHI or use PHI (e.g., for data analysis) to support the COVID-19 response. This NED allows BAs to use and disclose PHI for health oversight and public health activities, subject to certain conditions, even if such uses and disclosures are not described in their existing BAAs. If a BA uses or discloses PHI in a way that is covered by this NED, OCR will not take enforcement action against the BA or the covered entity that provided the PHI to the BA. BAs’ use and disclosure of PHI under this NED is subject to several key conditions, which I have summarized below:
- This NED applies only to BAs whose BAAs do not already permit them to use or disclose PHI to public health and health oversight agencies in accordance with 45 CFR 164.512.
- BAs that use or disclose a covered entity’s PHI under this NED (when such use or disclosure is not already contemplated in the BAA) are limited to using or disclosing PHI for public health or health oversight activities in accordance with 45 CFR 164.512(b) and (d). Additionally, the BA must notify the covered entity within 10 calendar days of when the use or disclosure occurred or commenced (in the case of repeat uses or disclosures).
- BAs using or disclosing PHI under this NED must do so in “good faith.” Although the NED does not define “good faith,” it does include examples of good faith uses and disclosures of PHI that would be covered by the NED. These include uses and disclosures for or to a state or federal public health authority (e.g., the United States Centers for Disease Control and Prevention) “for the purpose of preventing or controlling the spread of COVID-19, consistent with 45 CFR 164.512(b)” or to a state or federal health oversight agency (e.g., the United States Centers for Medicare and Medicaid Services) “for the purpose of overseeing and providing assistance for the health care system as it relates to the COVID-19 response, consistent with 45 CFR 164.512(d).”
- This NED does not specifically say that BAs’ uses and disclosures of PHI for public health and health oversight purposes under this NED must be related to the COVID-19 pandemic response. However, the examples of good faith uses of PHI that are described in the NED suggest that OCR intended to narrowly tailor the NED to uses and disclosures that are necessary to carrying out COVID-19 related public health and health oversight activities. Additionally, the emergency that undergirds this NED is the 319 PHE, which was declared due to COVID-19. BAs should carefully assess requests to use or disclose PHI for public health or health oversight purposes to determine whether a request is connected to supporting the COVID-19 pandemic response.
NED for COVID-19 Community Based Testing Sites
This NED was issued on April 9, 2020 and made effective retroactively to March 13, 2020. While this NED is in effect, OCR will not impose penalties against HIPAA-covered health care providers and their BAs for violations of the HIPAA Rules in connection with the good faith operation of a COVID-19 Community Based Testing Site (CBTS). The NED defines CBTSs to include “mobile, drive-through, or walk-up sites that only provide COVID–19 specimen collection or testing services to the public.” Operation of a CBTS includes “all activities that support the collection of specimens from individuals for COVID–19 testing.” The ease with which these mobile, drive-through, and walk-up sites can be set up in a community and outside of a traditional clinic has been important for increasing access to COVID-19 testing over the last few years. At the same time, the unique setup of these testing sites can make it more challenging to maintain patient privacy and protect PHI in these spaces. I have summarized the key details of this NED below:
- This NED applies only to covered health care providers and their BAs when they are participating, in good faith, in the operation of a CBTS. When an entity operates as both a health plan and a provider, the covered entity is covered by this NED only in its role as a health care provider.
- The NED does not apply to non-CBTS activities. OCR provides several examples, including that of a HIPAA-covered pharmacy that participates in the operation of a CBTS in its parking lot. In this example, if PHI is mishandled by pharmacy staff in the pharmacy’s main retail space (that is, not out at the CBTS in the parking lot), then HIPAA violations could apply.
- Once again, OCR does not define “good faith” in this NED, nor does it provide examples of good faith participation in a CBTS. The NED does, however, encourage health care providers and their BAs who are participating in good faith operation of a CBTS to adopt reasonable safeguards to protect patients’ privacy and their PHI, such as using and disclosing only the minimum necessary PHI for treatment; setting up canopies and other physical barriers to protect patient privacy and PHI; controlling foot and car traffic to create distance between patients; creating buffer zones around the CBTSs to reduce the risk of individuals or media filming patients; and posting a Notice of Privacy Practices (NPP) or information about where to find a NPP online in a conspicuous place at the CBTS.
Thinking About the Future
Covered entities conducting work that is covered by one of the NEDs should begin thinking about what they will do when the 319 PHE and the four NEDs terminate. By my observation, the once widespread use of CBTSs for COVID-19 testing has begun to wind down, which may reduce any burden associated with preparing for the end of the NED for CBTSs. Similarly, the demand for COVID-19 immunizations has evolved since the first vaccines were rolled out and several rounds of boosters have become available. In light of the decreased demand for vaccines, covered entities may be relying less and less on web-based scheduling applications to set up vaccine appointments and may be able to integrate scheduling for COVID-19 immunization appointments into their normal workflows. BAs that have been disclosing or using PHI pursuant to the NED for BAs can work with their covered entity partners to amend their existing BAAs, if appropriate, to permit the future use or disclosure of PHI by the BA to or for a public health or health oversight agency for COVID-19 related purposes.
The end of the NED for telehealth may prove especially challenging for certain covered entities to navigate. Unlike the other three NEDs, which were narrowly focused on services that relate directly to COVID-19, the NED for telehealth created flexibilities to support the delivery of both COVID-19-related and non-COVID-19 health services. As a result, providers may have heavily integrated telehealth into their practices and come to rely on telehealth technology that will no longer be allowed when the NED terminates. It is especially important for these providers to start thinking now about how they will transition the telehealth components of their practices when the 319 PHE and the NED for telehealth end. At this time, OCR has issued guidance on audio-only telehealth and the application of HIPAA (outside of a NED), which may be useful to providers that deliver telehealth services by telephone and plan to continue doing so after the NED for telehealth ends.
How to Stay Updated on the 319 PHE and NEDs
Information about renewals of the 319 PHE and the status of other national public health emergency declarations is available here from the Administration for Strategic Preparedness and Response within HHS. OCR has been using this website to post information about NEDs and other matters related to HIPAA and COVID-19. If OCR were to issue additional NEDs related to COVID-19 or the existing 319 PHE then information about the NED would likely be added to the website.