5/19/2020

The HIPAA Privacy Rule is frequently used as the reason for not allowing data to be shared, even when the participant’s HIPAA authorization states allowance of disclosing PHI, including remotely or virtually. The Office for Civil Rights (OCR) released a February Bulletin on HIPAA and COVID-19 to clarify how Protected Health Information (PHI) can be shared while still maintaining privacy during the crisis.

The OCR also released an Enforcement Discretion for good faith use of telehealth during the crisis. In order to comply with the good faith provision, covered entities must use non-public facing communication products. In the rule, the OCR states that the security rule is not suspended, but rather the penalty will not be imposed for HIPAA security rule violations in good faith. For example, common non-public facing communication technologies can be used even if there is no business associate agreement in place. A non-public facing communication product allows only the intended parties to participate in the communication, for example, by using passwords, end-to-end encryption, or log-ins. An example of a communication product that is public facing and not in good faith would be a live streaming video on social media. The rule lists some examples of systems that are adequate. The rule also gives examples of what is public facing or is not.

Additionally, the Telehealth Remote Communications Guidance clarifies some of the frequently asked questions about telehealth during the crisis. Privacy rule, security rule, and breach notification are part of the Discretion. Discretion only applies when noncompliance is related to the good faith provision of telehealth and necessary for the organization’s care of the individual. There is a broad definition of what telehealth in good faith entails, as long as precautions are taken to protect privacy. For example, if an investigator needs to conduct a study visit with a subject using a secure video chat while quarantined at home, they need to move to a private area. Another clarification is that the scope of what services can be offered is limited by technology and not the scope of the Discretion. For example, a picture of a wound emailed to the investigator or the investigator using a smart phone to upload an image to an electronic health record would be permitted with the Discretion.

The OCR Discretion does not have a specific expiration date. It is likely that a new normal can be anticipated where more remote visits will be implemented.

You may be interested in our related recorded webinars:

1.    ‘Remote Monitoring Operations and Maintaining HIPAA, GCP, and COVID-19 Restrictions’ including a helpful Q&A reference free with purchase.

• The focus is on the sponsor/CRO’s perspective. Purchase by clicking here.

2.    ‘A Case for Sponsor Monitoring Remote Access to a Site’s EMR!’

• The focus is on the site’s perspective. Purchase by clicking here.

Recorded webinars will be available for 10 days after purchase.

- The Clinical Pathways Team

Enjoy this blog? Please like, comment, and share with your contacts.