On March 13, 2020, President Donald Trump declared a national emergency over COVID-19 which allowed the Department of Health and Human Services’ (“HHS”) Secretary, Alex Azar to exercise additional authorities under Section 1135 of the Social Security Act to, among other things, “temporarily modify or waive certain Medicare, Medicaid, Children’s Health Insurance Program (“CHIP”), and Health Insurance Portability and Accountability Act (“HIPAA”) requirements.” On March 15, 2020, Section 1135 waiver took effect and HHS issued waivers related to HIPAA and to Medicare reimbursement for telehealth services during the coronavirus pandemic, while continuing to emphasize the need for ongoing compliance with HIPAA’s Privacy Security Rules.

HHS released a Notification of Enforcement Discretion under HIPAA, 45 CFR Parts 160 and 164. The Notification of Enforcement Discretion will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared public health emergency, whichever occurs first. HHS won’t enforce penalties for violations of certain provisions of the HIPAA privacy rule against healthcare providers or their business associates for good-faith disclosures of protected health information for public health purposes during the COVID-19 emergency. This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities. For example, covered entities and business associates remain liable for complying with the Security Rule’s requirements to implement safeguards to maintain the confidentiality, integrity, and availability of electronic PHI (ePHI), including by ensuring secure transmission of ePHI to the public health authority or health oversight agency.

Under this waiver, HHS Office for Civil Rights (the “OCR”) won’t impose penalties for disclosure of protected health information if the business associate makes good-faith use or disclosure for public health activities and informs the covered entity within 10 business days. This enforcement moratorium does not extend to other requirements or prohibitions under the privacy rule, nor to any obligations under the HIPAA security and Breach notification rules. For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.

OCR issued COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities which contains additional guidance on how covered entities may disclose PHI about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the HIPAA Privacy Rule. The guidance provides examples of the circumstances that a covered entity may disclose PHI, including: when needed to provide treatment; when required by law; when first responders may be at risk for an infection; and when disclosure is necessary to prevent or lessen a serious and imminent threat.

I’ve always advised clients and taught HIPAA seminars with the premise that you should treat the patient first and do what is necessary to obtain their information as part of that care and treatment and worry about a potential HIPAA or Florida medical records confidentiality law violation later this is the quintessential example of that premise.

Our best to all of you out there taking care of patients and protecting us in these difficult and unsettling times. Stay safe!

The Healthcare Team at Lowe & Evander, P.A. understand the hard work and sacrifices it takes to become a health professional or provider and aggressively defend health professionals regarding protecting their license, practice, career, assets and reputation. Using our experience and expertise, we navigate the obstacles our clients face, serving not only as their attorneys, but also as their legal strategists, trusted advisors and protectors of their rights and interest against government investigations and lawsuits when necessary, and we help chart a course through the maze of state and federal health care laws, rules and regulations.

The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information and content in this article are intended to convey general informational only and may not constitute the most up-to-date legal or other information. Readers of this article should contact their attorney to obtain advice with respect to any particular legal matter. No reader of this article should act or refrain from acting on the basis of information in this article without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.

Michael R. Lowe, Esquire is a Florida board-certified health law attorney at Lowe & Evander, P.A. Brian C. Evander, Esquire and Mr. Lowe regularly represent providers, physicians and other licensed health care professionals, and facilities in a wide variety of health care law matters.

For more information regarding those health care law and such matters please visit our website www.lowehealthlaw.com or call our office at (407) 332-6353.