Believe it or not, it’s been 9 months since the Nationwide Public Health Emergency (PHE) was first declared due to COVID-19. In fact, the Department of Health and Human Services (HHS) has extended waivers, originally set to expire on October 23, until January 20, 2021. 

While it might be hard to remember what life was like prior to face masks and restaurant capacity limits, it is important to remember what standard HIPAA regulations will once again be in effect (and which never went away) come January 2021.

First, HIPAA law has always covered specific ways to share protected health information (PHI) in case of a public health emergency, like the one 2020 has been so kind to bring us. HHS officially declared our current PHE this past January, putting those existing regulations in effect, in addition to waivers of certain HIPAA regulations such as telehealth applications. 

When we do return to normal (if anyone can remember what ‘normal’ is after this year) your practice will need to be ready to resume regular HIPAA-compliant operations. Here’s what changed, and what you need to know to follow proper HIPAA regulations moving forward.

Proper Sharing of PHI

• What happened: In early February, the Office for Civil Rights (OCR) released a bulletin outlining the ways to properly handle PHI sharing during the public health emergency under HIPAA. The bulletin essentially covered how the HIPAA Privacy Rule should be applied with regard to a public crisis and gave specific scenarios to when and how PHI could be disclosed without patient authorization.
• What to do by January 20th: While the bulletin was limited to the interest of public health safety, the leniency may have caused some confusion with when sharing PHI is acceptable and not – and your practice should ensure that it’s following the proper HIPAA guidelines even now, but especially by January 20th.

Business Associate’s Sharing PHI

• What happened: Relaxed disclosure permissions were also extended to Business Associates, and an additional OCR bulletin outlined similar flexibilities for third-party vendors to disclose PHI in the interest of protecting the safety of the general public.
• What to do by January 20th: While the importance of having business associate agreements (BAA’s) in place was never put on hold, it’s even more important to ensure that you have all the proper documentation in place once the waivers expire to limit your practice’s liability in the case of a business associate HIPAA violation.

Telehealth Waivers

• What happened: Telehealth has become a saving grace for parts of the healthcare industry, allowing providers to continue to see and treat patients from a safe distance. Besides maintaining social-distancing standards, the benefits that virtual appointments have created for both providers and their patients means telehealth services aren’t going away any time soon. 
• What to do by January 20th: Specific to the PHE, HHS provided certain flexibilities allowing telehealth services to be provided through non-compliant solutions and waived the need for a proper BAA with these platforms – but with the waivers reaching their expiration date, it’s important to ensure you are using a HIPAA-compliant telehealth provider moving forward with the right BAA signed, along with all the additional security safeguards necessary to protect patient data electronically. 

Now if you haven’t kept up with the news lately, the OCR has been on a fine-frenzy, levying a whopping 10 HIPAA settlements over the past 2 months. And while we might not have a crystal ball to predict the future (we certainly didn’t predict what 2020 has shaped up to be), we CAN make a pretty good guess that their enforcement efforts will remain at full-throttle for months to come. The last thing you want to do is find your practice caught up in their crosshairs, and forgetting to update your processes or systems as PHE waivers expire is an easy way to end up on their hit list.