Covid-19: US health department further relaxes HIPAA rules

The US Department of Health and Human Services will not penalise providers and certain businesses that disclose protected health information to other healthcare agencies during the covid-19 pandemic.

Typically, HIPAA rules only allow business associates – which include telemedicine platforms, data analysts, transcription companies, and other services that handle healthcare information – to disclose healthcare information if doing so is expressly permitted in their contracts with healthcare providers. But an HHS announcement last week said the department is suspending that rule to allow health departments and state emergency operations centres speedier access to patient information.

"The [Centers for Disease Control and Prevention], [Centers for Medicare and Medicaid Services], and state and local health departments need quick access to covid-19 related health data to fight this pandemic," said Roger Severino, the director of the HHS Office for Civil Rights. "Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives."

The suspension of this rule is the latest in a series of deregulatory actions the HHS has taken in the midst of the coronavirus pandemic.

On 18 March, US President Donald Trump announced that he was suspending HIPAA rules to facilitate the use of telemedicine.

“We will not enforce applicable ‘H-I-P-A-A’ penalties so that doctors can greatly expand care for their patients using telehealth,” Trump said, spelling out the letters of the acronym for Health Insurance Portability and Accountability Act. “We encourage everyone to maximise the use of telehealth to minimise exposure to the virus. It’s been a very successful method of communication, but never used on a scale like we’re about to use telehealth.”

HHS said at the time that acceptable chat apps include Apple’s FaceTime, Facebook Messenger, Google Hangouts, or Skype. However, providers should not use Facebook Live, Twitch, TikTok, or other applications that are not private.

Last week, the department issued further guidance, notifying the public that providers won’t be penalised for data breaches while using telemedicine in “good faith” – an announcement that worries some privacy advocates.

“We understand a pandemic is going on and we want patients to have access to the care they need … [but] we all need to be careful to use the most secure method possible to make sure patients get what they need and not be exposed to the negative consequences of a data breach,” said Deborah Reid, the senior health policy attorney at the Legal Action Center, a non-profit organisation that advocates for people with substance use disorders, HIV or AIDS, or criminal histories.