The U.S. Department of Health and Human Services has prioritized efforts to contain the COVID-19 pandemic over enforcing HIPAA rules.
The coronavirus pandemic has changed almost everything about life as we knew it—the way many of us work, shop, gather, learn, and access healthcare. And at least temporarily, it has even changed how healthcare providers can manage people’s protected health information.
Since 1996, when Congress passed the Health Insurance Portability and Accountability Act (HIPAA), health providers, health plans and their vendors have been required to handle individuals’ health information in accordance with a strict set of regulations—or face steep penalties. However, on several occasions over the past 16 months, the U.S. Department of Health and Human Services (HHS), which enforces HIPAA regulations, has prioritized efforts to contain the COVID-19 outbreak over enforcing all HIPAA rules.
By relaxing some penalties, HHS’ Office for Civil Rights (OCR) has freed more healthcare providers to focus on providing care for and vaccinating more people from COVID-19. Here’s how.
Easing Online Scheduling
In late February 2021, the OCR announced that healthcare organizations won’t be penalized for potential HIPAA violations related to the use of online or web-based scheduling applications for COVID-19 vaccine appointments. Many healthcare providers and business partners use web-based scheduling applications vendors (WBSAs) for appointment scheduling.
Normally, these WBSAs must comply with detailed HIPAA rules. But during the pandemic, when many providers need to schedule large numbers of individuals for vaccination appointments, WBSAs may be the easiest way. And by relaxing the penalties, the OCR ensures that those appointments can be scheduled quickly even if the chosen WBSA doesn’t comply with all HIPAA rules.
However, it’s not a free-for-all. WBSAs must meet some regulations; for instance, they must allow only the intended parties (such as the health care provider, the individual or the individual’s representative scheduling the appointment) to access the data that is created, received, maintained or transmitted by the WBSA. And the no-penalty regulation applies only to the use of WBSAs for scheduling COVID-19 vaccines.
This decision by the OCR has made it possible for millions of Americans to quickly and conveniently schedule vaccine appointments online over the past several months. As a result, more than 313 million doses of COVID-19 vaccine have been administered in the United States to date.
De-Penalizing Pandemic Response
The February announcement of waived penalties for online vaccine scheduling was the fifth penalty waiver announced by the OCR during the pandemic. Since early 2020, the OCR has made decisions at each stage of pandemic response to ease the burden for the public and those caring for their healthcare needs. Here’s a look at the first four penalty waivers.
Telehealth. On March 17, 2020, the OCR announced it would waive potential penalties for HIPAA violations against healthcare providers who use everyday communications technologies, such as FaceTime or Skype, to serve patients during the pandemic. The OCR followed up by providing guidance to explain how healthcare providers can use remote video communications and offer telehealth services to patients in a responsible way.
First responders. One week later, on March 24, 2020, the OCR released guidance allowing covered entities to disclose protected health information about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders and public health authorities. The ability to disclose this information to first responders without fear of penalty for HIPAA violations meant that first responders could take extra precautions to protect themselves when necessary, while still providing critical services to a public in need of help.
Health authorities. It soon became clear that federal public health authorities and health oversight agencies such as the Centers for Disease Control and Prevention (CDC) and Centers for Medicare & Medicaid Services (CMS), state and local health departments, and state emergency operations centers all needed access to COVID-19 related data in order to make decisions to fight the pandemic. On April 2, 2020, the OCR announced it would not impose penalties for violations of certain HIPAA provisions against healthcare providers or their business associates if they, in good faith, disclosed protected health information for public health and health oversight activities during the pandemic.
Testing sites. As it became increasingly clear that more COVID-19 testing was needed, the OCR took steps to make it easier for healthcare providers and pharmacy chains to operate community-based testing sites. On April 9, the agency announced it would not impose penalties for HIPAA violations made in connection with operating a COVID-19 testing site in good faith. Covered sites included mobile, drive-thru or walk-up sites, as long as they only provided COVID-19 specimen collection or testing services to the public.
These HIPAA rule exceptions, of course, do not diminish the importance of protecting individuals’ health information. They do, however, reflect the need for occasional flexibility in the interest of public health during a pandemic or other healthcare crisis.