Are You Ready? How to Prepare for the End of OCR’s Public Health Emergency HIPAA Enforcement Discretion
In April, 2020, in an effort to facilitate a national pivot to telehealth in light of the COVID-19 Public Health Emergency (PHE), the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a policy of Health Insurance Portability and Accountability Act of 1996 (HIPAA) enforcement discretion for regulated health care providers (Covered Entities) implementing communications technologies that weren’t fully compliant with HIPAA or using those technologies in a manner that didn’t comply with HIPAA. Examples of flexibilities included allowing technology providers access to protected health information (PHI) without a HIPAA Business Associate Agreement (BAA). OCR’s enforcement discretion enabled Covered Entities to minimize the need for in-person visits for all kinds of health care services, not just COVID-19 related care. OCR also implemented flexibilities to promote public health during the COVID-19 pandemic; for example, it allowed for Business Associates to share COVID-19 data with government agencies for such purposes without specific authority to do so under BAAs.
OCR recently announced the end of its PHE enforcement discretion, which means that Covered Entities and their service providers who qualify as business associates under HIPAA (Business Associates) must bring any ongoing services into compliance. The following are steps that both Covered Entities and Business Associates should consider for bringing their operations into compliance.
Identification of Relevant Vendors – In a perfect world, Covered Entities would have a roster of vendors that were on-boarded based on OCR’s enforcement discretion (PHE Vendors) and that will require retroactive compliance measures. In the crush of the PHE, however, and given the speed with which providers were required to provide remote alternatives for care, it’s possible that vendor records aren’t ideal. For entities in the latter group, an important initial step is to identify these PHE Vendors after the fact.
Updated Security Risk Assessments – Operational changes associated with the end of the PHE as well as recent guidance from OCR may require Covered Entities to update their HIPAA security risk analyses. In general, risk analyses should be updated at least annually or whenever there is an operational change affecting PHI. The risk analysis process actually lends itself to the identification of PHE Vendors that must be brought into compliance, as discussed above. For example, a HIPAA security risk analysis involves steps such as:
- the identification of ePHI within an organization (or outside of the organization, as a result of the pivot to telehealth services);
- the identification of external sources of ePHI, including vendors creating, receiving, maintaining, or transmitting ePHI; and
- evaluation of the threats to information systems containing ePHI.
Piggybacking a PHE Vendor identification effort on a larger security risk analysis provides a familiar process for Covered Entities going through the extraordinary circumstance of retroactively complying with HIPAA after the PHE.
Business Associate Agreements – Many PHE Vendors such as communications and telehealth providers may not have signed BAAs because they were not required at the time by OCR, so another important step will be implementing these agreements with any such vendors that will be retained by the Covered Entity. It’s important for Covered Entities to remember that a compliant Business Associate arrangement requires much more than a written agreement – the Business Associate actually has to comply with HIPAA requirements, so Covered Entities must do their usual diligence to ensure that vendors have the compliance infrastructure necessary to protect PHI in accordance with HIPAA requirements.
Replacement of Services Providers – Vendors that can’t or won’t comply with HIPAA requirements will have to be replaced before PHE flexibilities end (May 11, 2023, for scheduling applications and August 9, 2023, for telehealth technologies).
HIPAA Compliance – As illustrated by the above regarding replacement of services providers, PHE Vendors that decided to take advantage of PHE flexibilities and not to sign BAAs will need to quickly adapt to become HIPAA-compliant or pivot their businesses away from health care before the period of enforcement discretion ends (August 9, 2023, for telehealth and May 11, 2023, for all other OCR notices of enforcement discretion). As a reminder, Business Associates are directly subject to HIPAA (and its penalties) and must comply with applicable portions of HIPAA privacy regulations, Business Associate breach notification requirements and the security regulations in their entirety (along with BAA terms). Importantly, PHE Vendors will not avoid being subject to HIPAA if they meet the definition of a Business Associate by not signing a BAA.
Business Associate Requirements – PHE Vendors seeking to become Business Associates should be prepared to sign a BAA, which could contain requirements more stringent than HIPAA, significantly limit permissible data uses, and contain additional terms such as significant insurance requirements and indemnity and/or breach cost reimbursement requirements. PHE Vendors will also need to be prepared for Business Associate due diligence processes, which could involve customer review of privacy policies, security practices and policies, risk management plans, subcontracting processes, and subcontractor lists. Due to recent HHS reports and OCR guidance and enforcement, the vendor due diligence process may be more rigorous than before the pandemic. Vendors who have already entered into BAAs may also be approached for more information regarding information security because of this heightened vendor scrutiny as security risk assessments are updated. As with Covered Entities, Business Associates new and old should be taking appropriate steps to update their security risk assessments.
Subcontractor Business Associate Agreements – PHE Vendors should remember that as part of HIPAA compliance they will need to enter into BAAs with their subcontractors with access to PHI and conduct due diligence regarding HIPAA compliance. Similar to Covered Entities, the first step will be identifying subcontractors who are acting as Business Associates. PHE Vendors should build in enough time to:
- perform data mapping to identify all subcontractors that will need to enter into BAAs;
- determine which subcontractors will enter BAAs, and which services will require new subcontractors;
- identify new subcontractors, if needed;
- perform due diligence on all subcontractors with respect to privacy and security practices;
- update security risk assessments, risk management plans, and policies and procedures as necessary; and
- negotiate BAAs with applicable subcontractors.
Public Health Oversight – Business Associates may have been approached by various federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers to provide access to PHI and perform data analytics for public health and safety purposes during the PHE. Effective April 7, 2020, Business Associates were given the flexibility to use and disclose PHI for these purposes if its BAA did not allow it, provided certain conditions were met. Business Associates will need to identify if public health disclosures will be made past May 11, 2023, and determine whether or not the disclosures are permitted under the terms of their BAAs. If not, Business Associates will need to work with their Covered Entity customers to amend their BAAs to allow for these public health disclosures to continue by no later than May 11, 2023.
Notably, customers, employees and government agencies have likely grown accustomed to operating under OCR’s HIPAA enforcement discretion. Business Associates should provide training to employees regarding the disclosures that are permissible after the PHE ends. If public health disclosures are not permitted by BAAs, Business Associate employees should be made aware of this fact and learn how to handle such requests from government agencies in a post-PHE environment.
With the PHE coming to an end, all HIPAA regulated entities need to quickly come into compliance and should:
- identify BAA needs and begin applicable negotiations as soon as possible;
- conduct due diligence on vendors relating to privacy and security requirements;
- conduct security risk assessments and update risk management plans and security policies and procedures accordingly; and
- train employees on what the end of the PHE means from a HIPAA compliance perspective.