Confused about the Health and Human Service Office of Civil Right’s HIPAA waiver? Don’t be! We did the research to help you stay compliant and safe against HIPAA penalties.
Confusion #1: The HIPAA waiver is only for hospitals and CMS?
False. While the US Department of Health and Human Services (HHS) Office of Civil Rights’ (OCR) earlier declaration only included hospitals as stated in their “March 2020 HIPAA and COVID-19 Bulletin“, on March 19 they published “Notification of Enforcement Discretion for Telehealth“. The Notification of Enforcement specifically lists dental consultations in the telehealth waiver. Furthermore, in their FAQs on “HIPAA and Telehealth” also published after the “March 2020 HIPAA Bulletin”, OCR specifically defines dentists as health care providers. It also goes on to state that providers participating in telehealth should always use private locations, and lists private settings such as clinics and offices as an example.
Confusion #2: The HIPAA waiver means no more HIPAA regulations.
False. As stated in HHR HIPAA Bulletin, HIPAA Privacy Rules have not entirely gone away. There are certain provisions of the Privacy Rules that OCR has waived, but it has not done away with all HIPAA rules. OCR also states that practitioners must continue to implement reasonable safeguards to protect patient health information (PHI). It is also important to note that if a HIPAA violation happens, the waiver only applies enforced discretion from the OCR. Practitioners must still follow state laws on patient and medical records. If your state has not lifted HIPAA restrictions on telehealth, then you are still required to comply with your state’s rules.
Confusion #3: I will not be liable for PHI violations.
While practitioners cannot be sued for HIPAA violations, legal action can be taken against a provider for violating state laws (See HIPAA Journal). Patients can also file grievances for HIPAA violations with their insurance companies, including Medicaid. Furthermore, a patient could file a complaint with the provider’s state dental board, and while OCR has lifted HIPAA Rules, that does not mean a complaint cannot be filed against a provider with OCR.
With HIPAA, think long term
In conclusion, while federal HIPAA regulations for telehealth during for COVID-19 pandemic are less restrictive, we must still consider state regulations and always practice with our patients’ best interest in mind. Note that information provided by Mouthwatch LLC is for general informational purposes only. All information is provided in good faith; however, you should contact your legal representative or state licensing board for guidance on state-specific HIPAA rules. It is also important to note that during this national crisis changes are evolving rapidly, and this document might not be current at the time that you are reading it.