In guidance issued today, OCR explained that, with a few limitations, healthcare providers may use patient information to contact recovered COVID-19 patients and provide information about donating blood and plasma.
In Part I of this mini-series last week, Dayle A. Duran, Esq., CIPP/US articulately described Apple and Google’s COVID-19 contact tracing API. Overall, she concluded that, if used as intended, the technology provides good privacy protections, but flagged that the real privacy risks lie in unintended use and function creep. Recently proposed bipartisan legislation may adequately address these concerns.
This is part one of a two-part series focused on COVID-19 contact tracing technology and its implications for US privacy law. The next installment of this series will examine legislative solutions to protect data subjects from misuse of information collected through contact tracing apps and related technologies.
Keeping track of the flurry of rules and changes related to telehealth during this COVID-19 public health emergency has been challenging. I offer the timeline below as a resource with links to all the underlying sources. I will update this timeline as changes come about.
In line with its other Notices of Enforcement Discretion, OCR announced today that it will not enforce HIPAA rules against healthcare providers and their business associates for HIPAA violations that occur during the good faith operation of a community-based COVID-19 specimen collection and testing site, such as a mobile, drive-through or walk-up site.
Yesterday, Connecticut’s Commissioner of Public Health issued an order suspending licensure requirements for certain healthcare providers licensed in other states for a period of 60 days. This order continues to expand access to telehealth opportunities as out of state providers can now provide telehealth services to Connecticut residents.
By executive order late yesterday, Governor Ned Lamont expanded permission to offer “audio-only” telehealth services to commercial insurer’s in-network providers furnishing covered telehealth services. Two days ago, the Governor granted this permission to Medicaid providers serving Medicaid beneficiaries. The Executive Order also addresses licensure and location requirements and conditions for other providers wishing to offer telehealth services. Additionally, the order assures providers that compliance with federal agency guidance on HIPAA is adequate to meet state law.
DHHS announced waivers of various compliance requirements for providers to ease administrative and operational burdens during this pandemic. I think the theme here is that providers just need to do the best that they can during these challenging times. Those that prioritize patient care, act reasonably and in good faith and do not commit fraud or abuse will be spared from enforcement actions.