Legal Update
Mar 21, 2020
Managing HIPAA and Other Legal Risk in the Age of the Coronavirus
Sign up for our Coronavirus roundup email.
Visit our Coronavirus resource page.
As health care institutions move into the uncharted territory of testing and treating patients in the middle of a worldwide pandemic, they are facing mounting opposing pressures for information transparency and remote communication with patients and fellow providers – while still protecting individual health information. This has led to increased risk of liability under HIPAA and related statutes.
As discussed in greater detail below, the federal government has recently taken steps to decrease that risk for those institutions combating the Coronavirus. A review of these new safeguards provide a framework for institutions who wish to assist in national and local efforts to combat this disease while maintaining regulatory compliance as well as immunity from suit and liability.
As part of the its initial response to the growing coronavirus pandemic, Congress passed legislation allowing HHS to issue waivers under section 1135 of the Social Security Act. Retroactive to March 1, 2020, these waivers specifically remove limitations for virtual and other health care in order to better treat sick patients stricken by the virus.
In addition, on March 13, 2020, President Trump issued a Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease Outbreak under the National Emergencies Act. The Emergency Proclamation authorizes HHS to offer health care providers additional waivers, affording them increased flexibility to navigate the ongoing COVID-19 outbreak and the anticipated influx of ill patients.
Protections From Liability Under the PREP Act
On March 10, 2020, Secretary of HHS Alex Azar issued a declaration, effective February 4, 2020, under the Public Readiness and Emergency Preparedness Act (PREP Act), 42 U.S.C. § 247d-6d, which authorizes the Secretary to declare that certain “covered countermeasures” are necessary to beat back a public health emergency such as COVID-19. Although the PREP Act became law in 2005, its invocation has been rare and never on a scale so potentially far-reaching.
Secretary Azar’s COVID-19 declaration specifically affords immunity for “the manufacture, testing, development, distribution, administration, and use of the Covered Countermeasures.” The declaration defines “Covered Countermeasures” as “any antiviral, any other drug, any biologic, any diagnostic, any other device, or any vaccine, used to treat, diagnose, cure, prevent, or mitigate COVID-19 . . . or any device used in the administration of any such product,” limited to activities concerning federal agreements or to “activities authorized in accordance with the public health and medical response” of state or local public agencies.
Section 1135 Waivers and Blanket Waivers
A. Section 1135 Waivers Remove Limitations on the Provision of Telehealth Services.
Section 1135 waivers authorize health care providers to be exempt (i.e., waived) from specified statutory requirements of the Social Security Act and associated regulations. Invoking this authority, CMS has waived, effective March 6, 2020, limitations on Medicare coverage for telehealth during the COVID-19 outbreak so that hospitals and doctor’s offices are not overrun with patients. As a result, Medicare will now cover telehealth visits the same as ordinary, in-person visits and pay for such visits at the same rate as in-person visits.[1]
B. Blanket and Case-By-Case Waivers Relax Requirements on Other Health Care Providers.
In addition, in the wake of the President’s Emergency Proclamation, CMS issued several nationwide blanket emergency waivers which are immediately available, through the duration of the crisis, to health care providers on the frontlines of the fight against the novel virus. These include waiving the so-called Skilled Nursing Facility three-day rule, meaning that Medicare beneficiaries can now be transferred to an SNF without a three-day prior inpatient hospitalization; waiving CMS requirements that out-of-state providers be licensed in the state where they are providing services when they are licensed in another state; and relaxing some enrollment and administrative appeals requirements in connection with Medicare.
Moreover, the Emergency Proclamation allows HHS to waive, on a case-by-case basis, other requirements related to Medicare, Medicaid, and other federal health programs. It is up to health care providers (and their counsel) to evaluate their needs and identify the need for any federal laws to be waived in order to facilitate the treatment of patients diagnosed with COVID-19. For example, providers, in consultation with counsel, could analyze whether to seek specific waivers of, among other federal laws, EMTALA (e.g., to allow the transfer or relocation of patients to receive medical screening at an off-campus location which would otherwise not be in accordance with the EMTALA) and Medicare/Medicaid requirements related to conditions of participation.
HIPAA Privacy Rule Waivers
Effective March 15, 2020 and throughout the duration of coronavirus pandemic, HHS has waived penalties against covered hospitals that fail to comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
- the requirement to honor a request to opt out of the facility directory;
- the requirement to distribute a notice of privacy practices;
- the patient’s right to request privacy restrictions; and
- the patient’s right to request confidential communications.
HHS has stressed that these penalty waivers only apply: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
When the Presidential or Secretarial declaration terminates, a hospital must then immediately return to compliance with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
How Health Care Institutions Can Benefits From These Changes
To take advantage of a section 1135 waiver, health care providers must submit waiver requests to both their State Survey Agency and their CMS Regional Office. The waiver request should include detailed information about the facility and a short statement explaining the asserted justification for the waiver and should be made in consultation with capable legal counsel. While waivers under section 1135 may provide critical tools to manage increased demand, health care providers and counsel should also bear in mind applicable state and local laws, including whether their state governor has already declared a state-wide emergency and thereby relaxed health care regulations pursuant to applicable state law.
On the other hand, health care providers do not need to submit individualized requests to be entitled to rely on the blanket emergency waivers. Rather, providers should review their operations to determine if and to what extent any increased flexibilities associated with these waivers could better assist treating COVID-19 patients in their locales.
Although providers may find that some of the blanket waivers enhance their treatment of COVID-19 patients, many health care providers will likely need to submit a specific waiver request, in consultation with legal counsel, to take advantage of the full scope of benefits available under section 1135.
To take advantage of the additional waivers in disaster areas, hospitals need to ensure they fall within in the emergency area identified in the public health emergency declaration and have instituted a disaster protocol.
Jesse M. Coleman is a partner in the Houston Office of Seyfarth Shaw, LLP and is co-chair of the firm’s Health Care, Life Sciences and Pharmaceuticals Practice Group.
Leon Rodriguez is a former Director for Health and Human Service’s Office of Civil Rights, tasked with enforcing the HIPAA Privacy Rule. He is currently serving as co-office managing partner in Seyfarth’s Washington, DC office.
Drew Del Junco is a litigation associate in Seyfarth’s Houston Office.
[1] Further detail and discussion of the various changes to telemedicine in response to COVID-19 can be found in a recent Legal Update from Adam Laughton.