Photo of Erica M. Ash

Erica helps healthcare clients navigate regulatory matters so they can get back to the business of patient care. She assists clients with compliance, transactional and licensure matters, including Health Insurance Portability and Accountability Act (HIPAA) compliance, Medicare and Medicaid reimbursement procedures, Stark Law compliance, and fraud, waste and abuse issues.

On December 10, 2020, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released a proposed rule that would revise the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In its news release, OCR noted that the changes “seeks to promote value-based health care by examining federal regulations that impede efforts among healthcare providers and health plans to better coordinate care for patients.” The proposed changes come on the heels of the recently delayed Information Blocking Rule, which seeks to prohibit interferences with access, exchange, or use of electronic health information (EHI). The key proposed changes are discussed below.

Keypoint: If properly deployed, the use of COVID-19 contact-tracing apps by employers, in combination with other measures, could be an effective way to return employees to the workforce. However, before deploying these apps, employers should take caution to fully vet the technologies being used to ensure that employee privacy is respected.

As the United States and Europe have started the process of returning to work, the development, deployment, and use of COVID-19 contact-tracing apps has become a focal point for how governments intend to mitigate risk. ChinaSingapore, and South Korea have already implemented national contact-tracing apps. European countries and Australia have been rapidly working towards their deployment.

In connection with the rapid development of governmental contact-tracing apps, tech companies have started to develop similar apps for employers. A handful of employer-focused contact-tracing apps are already on the market and many more are in development. Some employers are already planning to deploy these apps. For example, Ferrari recently announced that it will utilize a contact-tracing app as part of its “Back on Track” plan.

The use of these apps raises numerous privacy concerns for U.S. employers. As employers begin to vet these apps, they will need to ensure that they do not unintentionally violate privacy laws or assume liabilities by deploying them with their workforce.

The U.S. Department of Health & Human Services Office of Civil Rights (OCR) announced that it will refrain from imposing penalties for violations of HIPAA for covered entities or business associates participating, in good faith, in the operation of COVID-19 Community-Based Testing Sites during the nationwide public health emergency. The notice related to the relaxation

Section 3221 of the CARES Act ratified fundamental changes to the Public Health Service Act requiring HHS to revise 42 C.F.R. Part 2,  regulations within 12 months. The changes are significant and follow the increasing movement to align the rules that govern the confidentiality requirements of substance use disorder records with HIPAA. Our health law

The Department of Health and Human Services, Office of Civil Rights (OCR) recently released guidance and helpful examples illustrating how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to Essential Providers. Read the full post on our Healthcare

On March 20, 2020 OCR released a Frequently Asked Questions list to help further clarify its March 17th Waiver.  In the FAQ, OCR clarifies that the waiver not only allows providers to utilize platforms that do not comply with the requirements of the Security Rule (discussed in our original post), but it also applies to the Breach Notification and Privacy Rules that may be implicated when using a less secure platform. OCR also assures providers that if protected health information is intercepted and during the the “good faith provision of telehealth,” OCR will not pursue otherwise applicable penalties.

On March 17, 2019, the Department of Health and Human Services, Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and waive potential penalties for HIPAA violations against healthcare providers that see patients through non-public communication applications during the COVID-19 nationwide public health emergency.

Background on Security Requirements for Telemedicine providers

Under what is commonly referred to as the HIPAA “Security Rule,” CMS requires organizations to have certain safeguards in place to protect patients’ health information. These safeguards require organizations to comply with certain minimum technical and organizational requirements. Part of the technical requirements is that organizations must have security measures in place “to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” This requires providers to utilize telehealth platforms that have, at a minimum, certain encryption and integrity controls in place. Furthermore, as an organizational safeguard, the Security Rule requires that telehealth providers enter into Business Associate Agreements with these platforms to ensure the platform will comply with HIPAA and protect patients’ health information.