Coronavirus and HIPAA Waivers: What has Changed and How to Stay Compliant


Post By: Rahul Varshneya

The coronavirus crisis has flipped the world on its head. The majority of people are staying home and health care providers are extending the reaches of telehealth in order to provide care.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 happens to be the cornerstone of all medical practice in the US. However, in the wake of the COVID-19 pandemic, the Office of Civil Rights (OCR) issued new guidelines on March 30th this year for health care providers—including home health agencies and home medical equipment providers.

These guidelines are aimed at extending leniency towards various clauses stated within HIPAA to pertain to the soaring healthcare demands and an increased need for virtual care amid the current crisis. If you want to ramp up your medical practice through telemedicine amid the ongoing pandemic and serve as many patients as possible, looking at the changing legal and regulatory measures can certainly help.

Here’s all that has changed and what you need to know to stay compliant.

1) Telehealth Regulations Waiver

On March 27, 2020, the “Coronavirus Aid, Relief, and Economic Security Act” (CARES Act) was signed into law. Along with provisions concentrated on bolstering the economy and dispensing added support for medical response, the act encompasses additional flexibility and funding for telehealth provision.

As of today, the Health & Human Services (HHS) Secretary, Alex Azar, has waived requirements in many different areas including:

  • Originating site: The “originating site” requirement for identified geographic areas designated an “emergency area” has been waived off. Under normal circumstances, a beneficiary needs to travel to an actual site of care (the originating site) to avail telehealth services.

However, the waiver allows beneficiaries to avail these services wherever they are. Considering the Coronavirus public health emergency, Secretary Azar has also waived the restrictions related to the geographical site on Medicare telehealth services to enable all locations and areas within the country to be able to avail delivery of these services, including patients’ homes.

  • Device Type: Secretary Azar has also relaxed restrictions on the devices that can be used to gain access to telehealth services so that personal smartphones and tablets can be utilized, provided that the beneficiary has both visual and audio feeds to the clinician. Telehealth providers will now be able to use day-to-day communication technologies such as Skype or FaceTime during the COVID-19 pandemic without fearing to have conducted HIPAA breaches.
  • Patient and Service Eligibility: Both existing and new patients can now access telehealth for an extensive range of healthcare services. Before the pandemic, telehealth could encompass only a limited range of services and required that the provider or another practitioner within the provider’s practice had provided telehealth services to the patient within a period of the past three years.

At present, even new patients can avail telehealth services without having any past history with the provider. Even though telehealth expansion still requires informed consent and beneficiary initiation of the encounter, the waiver permits a remarkable increase in the number of providers who can now help patients virtually.

All other telehealth regulations apart from the ones mentioned above remain in effect.

2) HIPAA Privacy Rule Waivers

Throughout the span of COVID-19 pandemic, HHS has waived penalties against covered providers that fail to comply with the following conditions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s consensus to speak with friends or family members involved in the patient’s care;
  • the requirement to honor a request to opt-out of the facility directory;
  • the requirement to distribute a notice of privacy practices;
  • the patient’s right to request privacy restrictions; and
  • the patient’s right to request confidential communications.

HHS has further underlined that these waivers only apply:

  • in the emergency area identified in the public health emergency declaration;
  • to hospitals that have instituted a disaster protocol; and
  • for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration is put an end to, every hospital must then get back to compliance with all the original specifications mentioned within the Privacy Rule to avoid HIPAA violations for any patient still under its care at once, even if 72 hours have not passed since the implementation of its disaster protocol.

Now, moving to our next section, let us get to understand:

How Providers can Stay HIPAA Compliant amid these Relaxations

1) Compliance Specific to Telehealth Usage

Telemedicine can finally go mainstream pushed by the Coronavirus outbreak.

The waivers issued by OCR and CMS permit the use of video and audio communication technology for real-time two-way interactions between a health care provider and an individual looking at seeking care. Therefore, telehealth can be an important tool for delivering health care services to underserved areas and to individuals who aren’t fit to travel since federal health care programs have so far offered only limited coverage.

While the COVID-19 emergency originally led to these actions, the new flexibility criteria will not be limited to telehealth usage for COVID-19 alone. For example, if a patient requires care related to an existing ailment, the new, temporary waiver should pertain to those services as well as to COVID-19 treatment and testing.

2) Compliance related to Medicare Rules

Under normal circumstances, a health care provider is said to violate Medicare’s rules regarding waste, fraud, and abuse if the provider habitually waives a patient’s cost-sharing obligations, such as deductibles and copayments.

However, one of the waivers issued in the wake of coronavirus states HHS will temporarily be “providing flexibility” for providers to reduce or waive patient cost-sharing for telehealth visits paid for by Medicare without the risk of enforcement actions. Therefore, health care professionals caring for patients through telehealth platforms need not collect deductibles and copayments from those patients.

3) Organization-wide Compliance

Irrespective of whether a pandemic is in force or not, staff members and employees who aren’t well-informed about the changing requirements of HIPAA regulations can unintentionally cause trouble. Fabricating proper training is vital to ensure that the people working for you recognize the significance of being compliant. The preparation of training manuals and conducting regular HIPAA audits can be extremely useful for employees and will also testify that your healthcare organization is committed to educating employees to abide by the mandate.

OCR also announced that it will not cast penalties upon providers that make use of certain non-compliant technologies to provide telehealth services to individuals during this emergency.

Therefore, telehealth platforms can now integrate commonly used video conferencing technologies that might not have met HIPAA’s requirements for security otherwise, such as Facebook Messenger video chat, Apple FaceTime, Google Hangouts, etc. However, it is important to note that this waiver will be limited to non-public facing technologies, and providers are directed not to use public-facing technologies such as TikTok or Facebook Live.

The waivers issued by the authorities in the wake of COVID-19 should allow health care providers to expand their use of telehealth by making it available through platforms that are accessible to their patients. After all, this is set to become the new norm.

About the Author: Rahul Varshneya is the co-founder and president of Arkenea, a digital health consulting firm. Rahul has been featured as a technology thought leader across Bloomberg TV, Forbes, HuffPost, Inc, among others.