HIPAA Enforcement Discretion During the COVID-19 Public Health Emergency
Over the last two months, the U.S. Department of Health and Human Services (“HHS”) published guidance regarding the enforcement of HIPAA and its privacy and security requirements in response to the COVID-19 public health emergency (“PHE”). To date, the HHS Office for Civil Rights (“OCR”), which enforces HIPAA, has announced that it would not impose penalties during the PHE for violation of certain HIPAA rules in connection with the following:
Providing telehealth services via apps that are not HIPAA compliant;
Business Associates’ use and disclosure of protected health information (“PHI”) for public health and health oversight activities; and
Specified privacy rule requirements applicable to hospitals, but only for violations during the first 72 hours after hospitals institute disaster protocols.
The Substance Abuse and Mental Health Services Administration (“SAMHSA”) also issued...