March 18 WPF Statement on COVID-19 Telehealth HIPAA Waiver

March 18, 2020

In This Statement:

What are the changes to HIPAA that have been enacted during the COVID-19 national emergency?
What are the privacy concerns?
WPF recommendations to ensure patient privacy is protected during and after the emergency

(PDF of statement: WPF Statement on COVID-19 Telehealth HIPAA Waiver)

In response to the COVID-19 (coronavirus) pandemic, the U.S. Department of Health and Human Services announced some changes in HIPAA practices. In general, the HIPAA privacy rule already provides plenty of flexibility for operation of the health care system under emergency circumstances. See, for example, a discussion of the rule’s provisions and their application in emergency circumstances at: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.

During emergencies – like hurricanes and other natural disasters – HHS routinely announces that it will waive sanctions and penalties from noncompliance with selected provisions of the HIPAA privacy rule. These waivers are expressly limited in scope and application and include:

(a) the requirements to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory (45 C.F.R. § 164.510);

(b) the requirement to distribute a notice of privacy practices (45 C.F.R. § 164.520); and

These “traditional” waivers are also in place for the coronavirus pandemic. See https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx

All of these actions are familiar and, from the perspective of the World Privacy Forum, unobjectionable. We recognize that privacy rules must make accommodations under emergency circumstances, although there is no reason to abandon privacy rules entirely. Privacy remains an essential element of health care at all times. So does public health.

Additional steps from HHS regarding COVID – 19

For the coronavirus pandemic, HHS took additional steps. HHS announced that it will exercise enforcement discretion and not impose penalties for noncompliance with the HIPAA requirements against covered health care providers who provide in good faith telehealth services during the COVID-19 nationwide public health emergency. https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

Normally, the HIPAA security rule requires that a covered entity, including health care providers, must review the risks of using new technologies and must consider whether encryption should be used for communications. The rule requires both a process and documentation of the decisions made. See, for example, 45 C.F.R. §§ 164.306 and 164.308.

The waiver by HHS means that during the emergency, health care providers can use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth services without going through the otherwise required risk evaluation and documentation. HHS will not seek to penalize HIPAA covered entities for noncompliance.

Further, the use of some services provided by a business associate normally requires a business associate agreement between the covered entity and the business associate. HHS will not impose penalties for the absence of an agreement for telehealth functions during the emergency.

The World Privacy Forum understands the need for these waivers in the current circumstances. We note that HHS encourages providers to notify patients of the risks and to use available encryption when using popular applications for telehealth. This is entirely appropriate.

We were pleased to see that HHS carefully distinguished between video communication applications that are public facing – Facebook Live, Twitch, TikTok, and others – and those that are not. Public facing applications pose grave threats to patient privacy, and HHS properly stated that they should not be used by covered entities for telehealth.

Concerns and Recommendations Regarding the Telehealth HIPAA Waiver

While the World Privacy Forum supports the announced waivers, we remain concerned that some providers of video communications services may somehow see the use of their services for telehealth as a business opportunity that will allow them to collect, maintain, and exploit information that travels through those communications. Under present circumstances, no existing law may prevent commercial use of health information communicated in this way.

WPF has three key recommendations to ensure patient privacy during and after the emergency:

We urge that any company involved will exercise restraint and appropriate behavior and expressly avoid collecting or using any health care information (including the mere fact of a communication between provider and patient) that is not essential to the communication service provided.

Further, any necessarily retained data should be deleted when the emergency is over.

Both providers and patients may need to take steps after the emergency to remove any protected health information from communications applications used for telehealth.

WPF will update this statement about COVID-19 as new information is announced. For more information about health privacy, see our Patient’s Guide to HIPAA, available online, in eBook form, and in downloadable PDF.

Health Privacy Resources

A Patient’s Guide to HIPAA: https://www.worldprivacyforum.org/2019/03/hipaa/

HIPAA waivers in place for the coronavirus pandemic: https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx

HHS notification of HIPAA enforcement during COVID-19 pandemic: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

HIPAA provisions in emergency circumstances: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.

WPF will update this statement about COVID-19 as new information is announced.

Original publication date: 18 March 2020.

Posted March 18, 2020 in Health Privacy, HIPAA
Tags: coronavirus, COVID-19

New Report: Risky Analysis: Assessing and Improving AI Governance Tools

We are pleased to announce the publication of a new WPF report, “Risky Analysis: Assessing and Improving AI Governance Tools.” This report sets out a definition of AI governance tools, documents why and how these tools are critically important for trustworthy AI, and where these tools are around the world. The report also documents problems in some AI governance tools themselves, and suggests pathways to improve AI governance tools and create an evaluative environment to measure their effectiveness. AI systems should not be deployed without simultaneously evaluating the potential adverse impacts of such systems and mitigating their risks, and most of the world agrees about the need to take precautions against the threats posed. The specific tools and techniques that exist to evaluate and measure AI systems for their inclusiveness, fairness, explainability, privacy, safety and other trustworthiness issues — called in the report collectively AI governance tools – can improve such issues. While some AI governance tools provide reassurance to the public and to regulators, the tools too often lack meaningful oversight and quality assessments. Incomplete or ineffective AI governance tools can create a false sense of confidence, cause unintended problems, and generally undermine the promise of AI systems. The report contains rich background details, use cases, potential solutions to the problems discussed in the report, and a global index of AI Governance Tools.
National IDs Around the World — Interactive map

About this Data Visualization: This interactive map displays the presence...
Report: From the Filing Cabinet to the Cloud: Updating the Privacy Act of 1974

This comprehensive report and proposed bill text is focused on the Privacy Act of 1974, an important and early Federal privacy law that applies to the government sector and some contractors. The Privacy Act was written for the 1970s information era -- an era that was characterized by the use of mainframe computers and filing cabinets. Today's digital information era looks much different than the '70s: smart phones are smarter than the old mainframes, and documents are now routinely digitized and stored and perhaps even analyzed in the cloud, among many other changes. The report focuses on why the Privacy Act needs an update that will bring it into this century, and how that could look and work. This work was written by Robert Gellman, and informed by a two-year multi-stakeholder process.