HipAa & Part 2 FAQ

Generally, healthcare providers are required to ensure the protection and confidential handling of protected health information under the Health Insurance Portability and Accountability Act or HIPAA. Additionally, 42 CFR Part 2 imposes requirements for the handling of patient records for individuals in a substance abuse treatment program.

Due to the COVID-19 pandemic, in accordance with the Centers for Disease Control and Prevention guidelines on social distancing, as well as state or local government-issued bans or guidelines on gatherings of multiple people, many substance use disorder treatment provider offices are closed, or patients are not able to present for treatment services in person. Therefore, there has been an increased need for telehealth services, and in some areas without adequate telehealth technology, providers are offering telephonic consultations to patients. To ensure that substance use disorder treatment services are not interrupted during this public health emergency there have been modifications made to the requirements under 42 CFR Part 2 and HIPAA.

Due to the COVID-19 pandemic providers may not be able to obtain written patient consent for disclosure of substance use disorder records. According to guidance issued by SAMHSA the prohibitions on use and disclosure of patient identifying information under 42 C.F.R. Part 2 would not apply in these situations to the extent that, as determined by the provider, a medical emergency exists.

Patient identifying information may be disclosed by a Part 2 program or other lawful holder to medical personnel, without patient consent, to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained. Information disclosed to the medical personnel who are treating such a medical emergency may be re-disclosed by such personnel for treatment purposes as needed.

Note that Part 2 requires programs to document certain information in their records after a disclosure is made pursuant to the medical emergency exception.

Under the medical emergency exception, providers make their own determinations whether a bona fide medical emergency exists for purposes of providing needed treatment to patients.

No, as long as the provider is acting in good faith. During the COVID-19 national emergency providers subject to HIPAA may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used may not fully comply with the requirements of the HIPAA.

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS), responsible for enforcing certain regulations issued under HIPAA, has announced that it will exercise its enforcement discretion during the COVID-19 nationwide public health emergency.

OCR will not impose penalties on providers for noncompliance when providers are engaged in good faith provision of telehealth.

No, a provider may use any non-public facing remote communication product that is available to communicate with patients. A provider may use a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.

Providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with HIPAA. However, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.