HHS Office for Civil Rights Guidance
During the COVID-19 public health emergency, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released several bulletins and guidance to helps explain civil rights laws as well as how the HIPAA Privacy Rule allows patient information to be shared in the outbreak of infectious disease and to assist patients in receiving the care they need. For additional information, visit the HIPAA and COVID-19 resource page on the HHS website.
May 5, 2020 – OCR Issues Guidance on Covered Health Care Providers and Restrictions on Media Access to Protected Health Information about Individuals in Their Facilities
OCR issued additional guidance reminding covered health care providers that the HIPAA Privacy Rule does not permit them to give media and film crews access to facilities where patients’ protected health information (PHI) will be accessible without the patients’ prior authorization.
The guidance explains that even during the current COVID-19 public health emergency, covered health care providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI. The guidance clarifies that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access. Additionally, the guidance describes reasonable safeguards that should be used to protect the privacy of patients whenever the media is granted access to facilities.
“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said Roger Severino, OCR Director. “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it,” Severino added.
Cyber-criminals may take advantage of the current COVID-19 global pandemic for their own financial gain or other malicious motives. However, resources are available to raise awareness of COVID-19 related cyber threats and help organizations detect, prevent, respond, and recover from these threats. OCR has provided resources that may be of interest to the healthcare community.
OCR shared the following update from the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security, warning individuals to remain vigilant for COVID-19-related malicious cyber activity.
This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC). Both CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors. At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.
APT groups and cybercriminals are targeting individuals, small and medium enterprises, and large organizations with COVID-19-related scams and phishing emails. This alert provides an overview of COVID-19-related malicious cyber activity and offers practical advice that individuals and organizations can follow to reduce the risk of being impacted. The IOCs provided within the accompanying .csv and .stix files of this alert are based on analysis from CISA, NCSC, and industry.
Note: this is a fast-moving situation and this alert does not seek to catalogue all COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.
April 9, 2020 – OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency
The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that it will exercise its enforcement discretion and will not impose penalties for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency. This exercise of enforcement discretion is effective immediately, but has a retroactive effect to March 13, 2020.
This Notification was issued to support certain covered health care providers, including some large pharmacy chains, and their business associates that may choose to participate in the operation of a Community Based-Testing Site (CBTS), which includes mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.
“We are taking extraordinary action to help the growth of mobile testing sites so more people can get tested quickly and safely,” said Roger Severino, OCR Director. “President Trump has ordered the federal government to use every tool available to help save lives during this crisis, and this announcement is another concrete example of putting the President’s directive into action,” Severino added.
OCR shared the following update from the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security, warning individuals to remain vigilant for scams related to COVID-19.
FBI Releases Guidance on Defending Against VTC Hijacking and Zoom-bombing: The Federal Bureau of Investigation (FBI) has released an article on defending against video-teleconferencing (VTC) hijacking (referred to as “Zoom-bombing” when attacks are to the Zoom VTC platform). Many organizations and individuals are increasingly dependent on VTC platforms, such as Zoom and Microsoft Teams, to stay connected during the Coronavirus Disease 2019 (COVID-19) pandemic. The FBI has released this guidance in response to an increase in reports of VTC hijacking.
It has come to OCR’s attention that an individual posing as an OCR Investigator has contacted HIPAA covered entities in an attempt to obtain protected health information (PHI). The individual identifies themselves on the telephone as an OCR investigator, but does not provide an OCR complaint transaction number or any other verifiable information relating to an OCR investigation.
HIPAA covered entities and business associates should alert their workforce members, and can take action to verify that someone is an OCR investigator by asking for the investigator’s email address, which will end in
hhs.gov, and asking for a confirming email from the OCR investigator’s hhs.gov email address. If organizations have additional questions or concerns, please send an email to: OCRMailhhs.gov. Suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation (FBI).
April 2, 2020 – OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency
The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced, effective immediately, that it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.
This Notification was issued to support Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI. The HIPAA Privacy Rule already permits covered entities to provide this data, and today’s announcement now permits business associates to also share this data without risk of a HIPAA penalty.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino, OCR Director. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives,” Severino added.
March 28, 2020 – OCR Issues Bulletin on Civil Rights Laws and HIPAA Flexibilities That Apply During the COVID-19 Emergency
The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued a bulletin to ensure that entities covered by civil rights authorities keep in mind their obligations under laws and regulations that prohibit discrimination on the basis of race, color, national origin, disability, age, sex, and exercise of conscience and religion in HHS-funded programs, including in the provision of health care services during COVID-19.
OCR is particularly focused on ensuring that covered entities do not unlawfully discriminate against people with disabilities when making decisions about their treatment during the COVID-19 health care emergency.
OCR enforces the Americans with Disabilities Act, Section 504 of the Rehabilitation Act, the Age Discrimination Act, and Section 1557 of the Affordable Care Act which prohibits discrimination in HHS funded health programs or activities. These laws, like other civil rights statutes OCR enforces, remain in effect. As such, persons with disabilities should not be denied medical care on the basis of stereotypes, assessments of quality of life, or judgments about a person’s relative “worth” based on the presence or absence of disabilities or age. Decisions by covered entities concerning whether an individual is a candidate for treatment should be based on an individualized assessment of the patient and his or her circumstances, based on the best available objective medical evidence.
“Our civil rights laws protect the equal dignity of every human life from ruthless utilitarianism,” said Roger Severino, OCR Director. “HHS is committed to leaving no one behind during an emergency, and helping health care providers meet that goal.” “Persons with disabilities, with limited English skills, and older persons should not be put at the end of the line for health care during emergencies.” Severino added.
March 24, 2020 – OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19
The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on how covered entities may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including:
- When needed to provide treatment;
- When required by law;
- When first responders may be at risk for an infection; and
- When disclosure is necessary to prevent or lessen a serious and imminent threat.
March 20, 2020: OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion
The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on telehealth remote communications following its Notification of Enforcement Discretion during the COVID-19 nationwide public health emergency.
The Notification, issued earlier this week, announced, effective immediately, that OCR is exercising its enforcement discretion to not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.
The new guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR is applying the Notification to support the good faith provision of telehealth. Some of the FAQs include:
- What covered entities are included and excluded under the Notification?
- Which parts of the HIPAA Rules are included in the Notification?
- Does the Notification apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?
- When does the Notification expire?
OCR shared the following update from the Cybersecurity and Infrastructure Security Agency (CISA) at the U.S. Department of Homeland Security, warning individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19).
Defending Against COVID-19 Cyber Scams: The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
March 17, 2020 – Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency
We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities. – Roger Severino, OCR Director.
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules).
During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.
March 16, 2020 – Waiver or Modification of Requirements under Section 1135 of the Social Security Act as the Result of the Consequences of the 2019 Novel Coronavirus (COVID-19)
HHS Secretary Alex M. Azar declared a nationwide public health emergency, effective March 15, 2019, at 6:00 p.m. due to the nationwide COVID-19 outbreak and President Donald J. Trump’s declaration that the COVID-19 outbreak in the United States constitutes a national emergency.
March 16, 2020 – OCR Issues Bulletin on Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency
In response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar’s earlier declaration of a public health emergency on January 31, 2020, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital
- that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or
- friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45
- CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
In light of the Novel Coronavirus (2019-nCoV) outbreak, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) is providing this bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.
The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.