Enforcement Discretion is one aspect of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that warrants careful attention. It is a concept that grants flexibility to covered entities during emergencies or disasters.
Understanding HIPAA Enforcement Discretion, its purpose, implications, and best practices will help covered entities respond appropriately in times of crisis.
Table of Contents
HIPAA Enforcement Discretion Explained
HIPAA Enforcement Discretion occurs when the Secretary for Health and Human Services (HHS) exercises discretion in enforcing specific HIPAA Rules.
According to the HIPAA Journal, this discretion can be temporary or permanent, region-specific or nationwide, and may apply to some Rules while exempting others. The primary purpose of HIPAA enforcement discretion is to enable healthcare providers to focus on delivering essential services and care during times of crisis while ensuring patient information remains protected.
Key Factors for HIPAA Enforcement Discretion
The HHS Secretary may issue Notices of Enforcement Discretion under §1135 of the Social Security Act in response to a declared emergency or disaster. Several key factors influence the decision to exercise HIPAA Enforcement Discretion and determine its scope. Here are some of them:
Severity of the emergency or disaster
The HHS evaluates the severity and magnitude of the emergency or disaster when considering whether to exercise enforcement discretion. Natural disasters, pandemics, or public health emergencies significantly disrupting healthcare facilities and services are more likely to trigger the need for enforcement discretion.
Impact on healthcare facilities
The extent to which the emergency affects healthcare facilities is a crucial factor. If the disaster leads to the closure or limited operation of healthcare institutions, the HHS Secretary may issue enforcement discretion to ensure continued patient care without compromising privacy protections.
Need for prompt response measures
Healthcare providers, during emergencies, require flexibility to respond swiftly to evolving situations. Enforcement discretion may be granted to allow covered entities to promptly prioritize patient care and promptly communicate with the necessary authorities and personnel.
Safeguarding public health
The primary goal of enforcement discretion is protecting public health. By temporarily relaxing specific HIPAA Rules, authorities can facilitate the timely sharing of patient information with relevant agencies, public health authorities, and first responders to control the spread of diseases and protect communities.
Ensuring continuity of care
Enforcement discretion enables uninterrupted healthcare services during disasters. By waiving certain provisions, covered entities can efficiently coordinate care, especially when transitioning to telehealth platforms or expanding remote communications.
Examples of HIPAA Enforcement Discretion
During critical events, HIPAA Enforcement Discretion allows healthcare providers to handle difficult situations and prioritize patient care.
Examples of enforcement discretion include:
COVID-19 pandemic (2020 to 2023)
During the COVID-19 pandemic, healthcare providers faced immense challenges in providing continuous patient care. In response to these challenges, the HHS issued a Notification of Enforcement Discretion for Telehealth Remote Communications. The Office for Civil Rights (OCR) exercised its enforcement discretion and decided not to impose “penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products.”
2023 Public health emergency in Guam due to Typhoon Mawar
As a result of the public health emergency declared in Guam due to Typhoon Mawar, the HHS has utilized its authority to waive sanctions and penalties for certain provisions of the HIPAA Privacy Rule.
The covered hospital was exempted from complying with specific requirements within the emergency area and the emergency period. These included obtaining a patient’s agreement to speak with family members or friends involved in their care, honoring requests to opt out of the facility directory, distributing a notice of privacy practices, and complying with the patient’s requests for privacy restrictions and confidential communications. Hospitals that implemented disaster protocols were granted enforcement discretion, which lasted for a maximum of 72 hours.
Implications of HIPAA Enforcement Discretion for Covered Entities
HIPAA Enforcement Discretion holds significant implications for covered entities. While it provides flexibility during emergencies, entities must exercise due diligence and comply with the specific provisions waived or altered by the HHS. Failure to adhere to the granted flexibilities or misusing enforcement discretion can lead to dire outcomes, such as hefty penalties.
Best Practices for Navigating HIPAA Enforcement Discretion
To effectively navigate HIPAA Enforcement Discretion, covered entities must adopt best practices to balance patient care and privacy protection during emergencies:
- Stay informed: Covered entities must stay updated on HHS announcements and notices regarding enforcement discretion to understand the scope and duration of specific waivers.
- Develop disaster protocols: Hospitals and healthcare facilities should proactively develop disaster protocols to ensure they are eligible for enforcement discretion and can implement them appropriately when required.
- Limit PHI disclosure to the minimum: Even during enforcement discretion, covered entities must strictly adhere to the minimum necessary standard when sharing PHI to protect patient privacy.
- Use secure communication tools: When using non-public facing communication platforms for telehealth services during emergencies, covered entities must encrypt data and enable privacy settings to safeguard patient information.
- Only engage with HIPAA-compliant vendors: Covered entities should favor collaborations with HIPAA-compliant vendors who are willing to sign business associate agreements (BAAs) to ensure maximum privacy during PHI handling.
Follow HIPAA Enforcement Discretion Protocols
HIPAA Enforcement Discretion is an essential approach that allows covered entities to navigate emergencies effectively while upholding patient privacy.
Understanding the factors influencing enforcement discretion and its implications empowers healthcare providers to make informed decisions during critical events like disasters and emergencies. By adhering to best practices and remaining vigilant, your organization can ensure the continuity of care without compromising the security and privacy of your patients.