In line with its other Notices of Enforcement Discretion, OCR announced today that it will not enforce HIPAA rules against healthcare providers and their business associates for HIPAA violations that occur during the good faith operation of a community-based COVID-19 specimen collection and testing site, such as a mobile, drive-through or walk-up site.
Author Archives: Dena M. Castricone, CIPP/US, CIPM
The CARES Act made important changes to 42 CFR Part 2 rules by aligning use and disclosure rules more closely with HIPAA. This is an important development and will require some operational tweaks by Part 2 Providers such as obtaining initial consent and ensuring the use of a Notice of Privacy Practices.
Yesterday, Connecticut’s Commissioner of Public Health issued an order suspending licensure requirements for certain healthcare providers licensed in other states for a period of 60 days. This order continues to expand access to telehealth opportunities as out of state providers can now provide telehealth services to Connecticut residents.
Late Friday, the Office for Civil Rights (OCR) issued FAQs on telehealth and HIPAA as a follow up to DHHS’ announcement that OCR would use “enforcement discretion” for HIPAA non-compliance related to the good faith roll out of telehealth services during the COVID-19 emergency. The FAQs provide useful information about the types of applications that can be used for telehealth as well as examples of bad faith conduct.
Earlier this week, more than 30 businesses sent a letter to California’s Attorney General requesting a temporary deferral in enforcement of the California Consumer Privacy Act (CCPA) until January 1, 2021 due to the COVID-19 pandemic and the lack of final regulations. CCPA enforcement is set to begin on July 1, 2020. But regulations directing the implementation of the CCPA remain incomplete and continue to change substantively. The regulations are not likely to be finalized for several weeks, which, under normal conditions, would leave businesses scrambling to comply before the enforcement deadline. But there is nothing normal about current conditions.
By executive order late yesterday, Governor Ned Lamont expanded permission to offer “audio-only” telehealth services to commercial insurer’s in-network providers furnishing covered telehealth services. Two days ago, the Governor granted this permission to Medicaid providers serving Medicaid beneficiaries. The Executive Order also addresses licensure and location requirements and conditions for other providers wishing to offer telehealth services. Additionally, the order assures providers that compliance with federal agency guidance on HIPAA is adequate to meet state law.
Just one week ago, Medicaid in Connecticut did not cover telehealth services. Then, DSS issued Provider Bulletins 2020-09 and 2020-10 providing for emergency temporary telehealth coverage in response to the Covid-19 pandemic. Today, the Connecticut Department of Social Services (DSS) issued Provider Bulletin 2020-14, which further expands Medicaid reimbursement to include telehealth delivered via telephone.
Today, the Department of Health and Human Services announced that its Office for Civil Rights, which enforces HIPAA, will not enforce requirements that are a barrier to making telehealth services available.
DHHS announced waivers of various compliance requirements for providers to ease administrative and operational burdens during this pandemic. I think the theme here is that providers just need to do the best that they can during these challenging times. Those that prioritize patient care, act reasonably and in good faith and do not commit fraud or abuse will be spared from enforcement actions.
Yesterday, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator of Health Information Technology (ONC) released their long-awaited final rules on interoperability and information blocking.