COVID-19: Will the OCR Exercise Enforcement Discretion and Waive Penalties for HIPAA Violations?

The global pandemic Covid-19 (SARS-CoV-2) has wreaked havoc around the world for the first half of 2020. The virus’s huge impact on the US Healthcare industry has overloaded physicians, doctors, and other hospital staff who have been caring for the sick or helping keep the hospital lights on 24×7. Non-frontline healthcare workers have been forced to work from home, small clinics have closed, and non-critical patient operations have been canceled.

At the peak of the pandemic, US hospital emergency room visits were down 42%, accompanied by a seismic shift toward visiting patients at home and conducting telephone or video conferencing appointments and consultation. On the 17th March 2020, the Office for Civil Rights (OCR) announced that enforcement discretion and waiving penalties for HIPAA violations would be introduced.

However, it has become evident that this headline-grabbing announcement may have been misinterpreted by some HIPAA covered entities. Atlantic.Net is one of the largest and most successful providers of HIPAA compliant hosting solutions for the US healthcare industry. We have been extremely alarmed by reports that some covered entities have interpreted this news thinking that they do not need to meet HIPAA guidelines during this period of uncertainty.

This interpretation is absolutely not true. The OCR is only waiving specific HIPAA enforcement rules to allow greater flexibility when providing healthcare services directly to patients during these uncertain times. The OCR is not relaxing HIPAA regulation, and covered entities must at all times uphold the integrity of protected health information.

CMS Blanket Waivers

Some of the confusion may have arisen because a number of blanket waivers were introduced by the CMS. The CMS (Center for Medicare and Medicaid Services) has relaxed a number of rules (mostly relating to patient interactions) during the pandemic.

Any healthcare facility that has declared an emergency due to Covid-19 is in the scope of the waivers. For example, doctors no longer have to seek patient approval to notify immediate family if they are affected by Covid-19. Also, patient health records can be shared with the CMS if patients are being seen at home or offsite (not at a hospital). It is possible that these CMS waivers created some confusion about the scope of the rule relaxation.

The OCR enforcement Waivers

The OCR waivers only relate to the teleconferencing technical safeguards of HIPAA compliance. Video conferencing services have proven invaluable during the pandemic, enabling clinics to continue operating and follow safe distancing guidelines. The technology has also helped to bring families closer together during the lockdown.

But, importantly, it has enabled GPs and medical teams to continue to offer front line services direct to patients. The discretion offered by the OCR relates directly to video conferencing technology – nothing more, nothing less!

Video conferencing is an approved technology that is allowed when using HIPAA-compliant service; however, there are usually strict rules about the technology, patient consent, and the need for a Business Associate Agreement (BAA) to meet the security restrictions needed. Prior to Covid-19, such a video conferencing tool would commonly have been non-public facing remote communication device that patients could consume, often using bespoke software solutions.

Since Covid-19, the rules have been relaxed significantly. According to the HHS: “Under this Notice, covered health care providers may use popular applications that allow for video chats, including Lets Talk, Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without the risk that OCR might seek to impose a penalty for non-compliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

Some banned video services such as Facebook, Twitch, Snapchat, and TikTok are simply not allowed under HIPAA. A number of video conferencing organizations have created HIPAA-compliant products that are approved by the HHS and OCR. However, the business associate agreements (BAA) offered by them have not been individually reviewed by the HHS; therefore, it is recommended that healthcare organizations conduct thorough due diligence to ensure that the product is suitable.

The type of video conferencing in-scope is usually the specific healthcare version, not the general public releases. The toolsets that have been whitelisted include Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet, Cisco Webex Meetings / Webex Teams, GoToMeeting, and Spruce Health Care Messenger.

These platforms offer a number of technical safeguards that protect the integrity of PHI, including HIPAA-compliant levels of encryption that shield the audio and video stream, detailed logging of connection and session activity, and enforcement of user authentication with unique IDs and passwords. Conference rooms are protected with meeting access codes that are not publicly listed, and the presenter can specifically share applications needed which can prevent accidental exposure of PHI.

To conclude, it is important to stress that the OCR has only relaxed some of the rules regarding video conferencing services implemented by HIPAA covered entities. This change in rules might be considered a sensible update to the rules as technology evolves. Video conferencing technology is everywhere, and relaxing these rules will greatly improve the patient experience.

All other physical, administrative, and technical safeguards required for HIPAA compliance are still enforceable by the OCR. One might argue that covered entities should be even more vigilant in these uncertain times as cyber-attacks have risen exponentially during the pandemic. Even the World Health Organization (WHO) has experienced a fivefold increase in cyber attacks.

HIPAA Compliant Hosting

Are you in need of an infrastructure that can protect the health data of your organization? At Atlantic.Net, whatever your technical requirements, we can offer a top-grade HIPAA-Compliant Hosting solution.

Learn more about our HIPAA compliant web hosting and HIPAA cloud hosting solutions.