January 22, 2021
I don’t think anyone will be surprised to hear the latest Department of Health and Human Services (HHS) announcement that waivers related to the Public Health Emergency (PHE) – affecting telehealth, COVID-19 information sharing, and more – are (you guessed it) extended! Originally expiring January 21, 2021, waivers were instead extended again until April 20, 2021.
While we all hope COVID-19 is behind us sooner rather than later, we won’t be surprised if waivers are extended again in April (after all, we’ve rung the false alarm 4 times now in saying that the PHE is expiring). Even if the light at the end of the COVID-19 tunnel takes a little bit longer, waivers will still expire, and the sooner your practice is prepared for that day – the better.
When it does happen, the PHE expiring won’t mean that life will snap back to the way it was pre-pandemic (as much as we all wish that it could). What it does mean is that normal HIPAA regulations will regain effect – and that your practice needs to have the necessary compliance requirements ready to go if they aren’t already. So let’s recap what changed over the course of 2020 and what’s expected of your practice to remain in compliance when normal HIPAA enforcement kicks back into gear:
PHI Disclosures
- Last February, the Office for Civil Rights (OCR) released guidance covering how protected health information (PHI) should and shouldn’t be handled during a PHE. The announcements essentially covered how HIPAA rules should be applied in regard to COVID-19 related information and provided specific scenarios in which patient information could be properly disclosed without patient authorization to benefit public health and safety. Even with relaxed requirements, there has been and will still be HIPAA requirements for PHI disclosures to others, particularly the media, even with the PHE still ongoing.
Business Associates
- Healthcare providers weren’t the only ones granted some wiggle room for PHI disclosures, and the same permissions were extended to business associates as well. In addition to ensuring that your own practice is covered when it comes to proper PHI disclosure, making sure that the third-party vendors you work with are doing the same is just as important. Now we know it’s not feasible to micromanage every Business Associate you work with, but having the proper (and up-to-date!) Business Associate Agreements signed and documented is. Just one document can be the difference between a hefty HIPAA fine – since your practice would be liable without one – and protection in the case of a business associate HIPAA violation.
Telehealth
- If there was one way to jump-start the healthcare industry’s use of telehealth services, the COVID-19 pandemic was it. In what seemed like the blink of an eye, providers of all specialties and sizes were offering telehealth to their patients. With benefits that go beyond social-distancing, we can expect these services to continue even after the PHE is over. While the OCR waivers provide limited discretion for use of non-HIPAA compliant telehealth services during the pandemic, once waivers expire you must switch to a HIPAA compliant telehealth provider and get that signed Business Associate Agreement, and all other safeguards necessary, in place.
2020 was a historic year for more reasons than just the National Public Health Emergency, and HIPAA enforcement saw record-breaking highs over the past 12 months. We can only expect these efforts to continue in 2021 especially once HIPAA waivers officially expire. If HIPAA is on your list to tackle in 2021 – and it should be, with recent legislation reducing fines for breaches if compliant – determining where you stand now and addressing any areas you’ve relaxed compliance in is a great first step!