May 52020

HHS Announces Exercise of Enforcement Discretion for Entities Engaged in COVID-19 Relief Efforts

Kate Heinzelman and Megan Svedman
, , , ,

Since COVID-19 was declared a pandemic, the U.S. Department of Health and Human Services (“HHS”) and its Office for Civil Rights (“OCR”) have taken a variety of steps to relax HIPAA restrictions particularly pertinent to the COVID-19 response.

First, as covered in an earlier posting, HHS took action to waive penalties and assure companies that it would exercise enforcement discretion with respect to the Privacy Rule’s application to telehealth services and certain limited communication activities related to COVID-19 treatment efforts.

On April 2, HHS released a notification indicating it will be exercising its discretion by not pursuing enforcement actions against business associates that share protected health information (“PHI”) for good faith purposes involving COVID-19 related public health concerns beyond the authority granted in their business associate agreements.  HHS’s guidance indicates that it will not pursue enforcement actions for such disclosures as long as two conditions are met:

  • The business associate makes a good faith use or disclosure of the covered entity’s PHI for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d); and
  • The business associate informs the covered entity within ten (10) calendar days after the use or disclosure occurs.

The following week, on April 9th, 2020, HHS issued another notification outlining its intention to exercise enforcement discretion with respect to both covered healthcare providers and their business associates participating in the operation of community-based testing sites (“CBTS”) related to COVID-19 specimen testing. The operation of CBTS includes all activities that support the collection of specimens from individuals for COVID-19 testing, and includes mobile, drive-through, or walk-up sites.  The agency’s relaxed enforcement posture with regard to covered entities and business associates applies only to healthcare providers and their business associates engaging in COVID-19 specimen collection at CBTS, who must still employ reasonable safeguards to protect patients’ PHI, including:

  • Using and disclosing only the minimum necessary PHI.
  • Setting up canopies or other opaque barriers between patient collections sites within a larger testing site.
  • Controlling foot and car traffic to maintain at least 6 feet’s worth of distance between passageways and patient specimen collection sites.
  • Establishing a “buffer zone,” that will prevent members of the media from filming or documenting patient specimen collection practices.
  • Using secure technology on-site when transmitting electronic PHI.
  • Posting a Notice of Privacy Practices to inform patients of their rights under HIPAA.

Provided these factors are satisfied, HHS has stated that it does not intend to pursue enforcement actions. HHS offered further clarification on this point in an April 24th webinar, where it emphasized that its enforcement discretion will not extend to the provision of non-COVID-19 related activities at CBTS.

Kate Heinzelman

kheinzelman@sidley.com

Megan Svedman

msvedman@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).