The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. It applies to health plans, health care clearinghouses, and healthcare providers that conduct certain health care transactions electronically. During the COVID-19 pandemic, there was confusion about the information that could be shared about individuals who had contracted the virus, those suspected of exposure, and with whom this information could be shared.
HIPAA covered entities – healthcare providers, health plans, and healthcare clearinghouses – and business associates of covered entities had many questions about HIPAA compliance and COVID-19 cases. It is important to remember that during a public health emergency, the HIPAA Privacy and Security Rules still apply.
Characteristics | Values |
---|---|
Does HIPAA apply to COVID-19? | Yes, HIPAA protections on patient information remain in place during disease outbreaks and other health emergencies, including COVID-19. |
Who does HIPAA apply to? | Covered entities and business associates. |
What are covered entities? | Healthcare providers, health plans, healthcare clearinghouses. |
What are business associates? | Non-members of a covered entity's workforce using individually identifiable health information to perform functions for a covered entity. |
What are the sanctions for non-compliance? | The Secretary of HHS may choose to waive certain sanctions and penalties for noncompliance with specific provisions of the HIPAA Privacy Rule. |
What are the permitted uses and disclosures of PHI? | Treatment, payment, healthcare operations, patient referrals, consultations with other healthcare professionals, public health authorities, disaster relief organizations, first responders, law enforcement, the press, and the public at large to identify or locate a patient. |
What are the restrictions on disclosures of PHI? | Disclosures should be limited to the minimum necessary information to achieve the purpose for which the information is being disclosed. |
What are the patient's rights over their PHI? | Examine and obtain a copy of their health records, direct a covered entity to transmit to a third party an electronic copy of their PHI, and request corrections. |
What You'll Learn
HIPAA-covered entities
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements, and the HIPAA Security Rule to protect specific information covered by the Privacy Rule.
The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities subject to the rule, which are known as "covered entities". These include healthcare providers, health plans, and healthcare clearinghouses.
Healthcare providers are defined as any entity or individual that provides treatment or services, regardless of size, who electronically transmits health information in connection with certain transactions. This includes benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
Health plans refer to health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, and other government-sponsored insurers; long-term care insurers (excluding nursing home fixed-indemnity policies); employer-sponsored group health plans; and multi-employer health plans. An exception is made for group health plans with fewer than 50 participants administered solely by the employer.
Healthcare clearinghouses are entities that process non-standard information received from another entity into a standard format or vice versa. They receive identifiable health information when providing processing services to a health plan or healthcare provider as a business associate.
Business associates are non-members of a covered entity's workforce who use individually identifiable health information to perform functions for a covered entity. These functions include treatment, payment, and healthcare operations.
During a public health emergency, such as the COVID-19 pandemic, the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients' PHI and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.
In the context of the COVID-19 pandemic, covered entities are permitted to disclose PHI without first receiving authorization from a patient for treatment purposes, coordinating and managing care, patient referrals, and consultations with other healthcare professionals. Covered entities are also permitted to share patient information to identify or locate a patient, or to notify family members, guardians, and other individuals responsible for the patient's care about their location, general condition, or death. This includes sharing information with law enforcement, the press, or the public to identify or locate a patient.
Additionally, covered entities are required to notify public health authorities of infected patients, as they need this information to ensure public health and safety. It is permissible to share PHI with public health authorities, such as the Centers for Disease Control and Prevention (CDC) and state and local health departments, without obtaining authorization from the patient.
Who Serves in Congress: Senators and Representatives
You may want to see also
PHI disclosures during COVID-19
During the COVID-19 pandemic, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) released guidance on the permissible disclosure of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA Privacy Rule restricts the use and disclosure of PHI to those related to treatment, payment, and healthcare operations. However, during public health emergencies, the HHS Secretary may waive certain sanctions and penalties for noncompliance with specific provisions of the HIPAA Privacy Rule.
In response to the COVID-19 emergency, the HHS Secretary issued a bulletin waiving sanctions and penalties for noncompliance with several provisions of the HIPAA Privacy Rule, including:
- The requirement to obtain a patient's agreement to speak with family members or friends involved in the patient's care.
- The requirement to honour a request to opt out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient's right to request privacy restrictions.
- The patient's right to request confidential communications.
This waiver was effective from March 15, 2020, and applied only to hospitals that had implemented a disaster protocol and was limited to 72 hours from the time the protocol was implemented.
Despite the waivers, it is important to note that the HIPAA Privacy and Security Rules still applied during the COVID-19 pandemic. The HIPAA Security Rule ensures the security of patients' PHI and requires reasonable safeguards to protect PHI from impermissible uses and disclosures.
OCR's guidance clarified that covered entities, such as healthcare providers, health plans, and healthcare clearinghouses, could disclose PHI without patient authorization in specific circumstances related to COVID-19. These circumstances included:
- Treatment purposes, including coordinating and managing care, patient referrals, and consultations with other healthcare professionals.
- Notifying public health authorities of infected patients to ensure public health and safety.
- Preventing or lessening a serious and imminent threat to a specific person or the public.
- Disclosures to individuals involved in a patient's care, such as friends, family members, caregivers, and other identified contacts.
- Disclosures to first responders, law enforcement, and public health authorities to facilitate treatment, reduce the risk of COVID-19 exposure, and prevent or lessen a serious threat.
- Disclosures to correctional institutions or law enforcement officials in lawful custody of an individual when necessary for providing healthcare services, ensuring health and safety, and maintaining security and order.
In all instances of PHI disclosure, covered entities must make reasonable efforts to limit the information disclosed to the minimum necessary to achieve the purpose of the disclosure.
Censorship Laws: Exempting Children?
You may want to see also
Waivers for non-compliance
During the COVID-19 pandemic, the US Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) issued several waivers for non-compliance with certain HIPAA requirements. These waivers were intended to facilitate data sharing and the use of telehealth services, thereby reducing the number of in-person appointments and promoting safe, remote care.
The OCR's enforcement discretion for non-compliance with HIPAA regulations allowed providers to use telehealth platforms that may not fully comply with the privacy rule. This waiver relaxed key elements, enabling remote care at a time when providers were encouraged to limit person-to-person contact. It permitted covered providers to use non-public-facing remote audio or video communication platforms, such as Apple FaceTime, Facebook Messenger, and Google Hangouts, to communicate with patients. However, OCR stressed that providers must still use non-public-facing communication tools and ensure end-to-end encryption when using video, audio, or texting applications.
Additionally, OCR waived penalties for HIPAA non-compliance for providers or business associates who made Good Faith use and disclosures of protected health information during the pandemic. This allowed business associates to share COVID-19-related data with federal public health authorities and health oversight agencies without prior notification to the covered entity. However, the covered entity must be notified within ten days of such data sharing.
OCR also lifted penalties for COVID-19 Community-Based Testing Sites (CBTS), permitting certain covered healthcare providers and business associates to operate these sites during the pandemic. These providers were required to meet specific conditions, including disclosing only the minimum necessary protected health information and leveraging secure technologies to record and transmit electronic protected health information.
It is important to note that these waivers were temporary and only applied during the COVID-19 public health emergency. Providers were still expected to prioritize privacy and security measures and ensure compliance with other federal and state privacy requirements.
Understanding Texas Cottage Food Laws and Dry Seasonings
You may want to see also
Telehealth services
On March 17, 2020, the HHS’ Office for Civil Rights (OCR) announced that sanctions and penalties for noncompliance will not be applied in cases of good faith use of telehealth during the COVID-19 public health emergency. This means that healthcare providers can use any non-public-facing remote communication product to provide telehealth services to patients. However, OCR is not suspending all enforcement activity in relation to the provision of telehealth services—only for good faith use during the public health emergency.
OCR defines non-public-facing communication products as those that, “as default, allow only the intended parties to participate in the communication.” Examples include Apple FaceTime, Facebook Messenger video chat, Google Hangouts, WhatsApp video chat, Skype, or common private texting applications (e.g. iMessage).
It is important to note that the OCR will not penalize practitioners who use less secure products in accordance with the Notification and subsequent guidance. However, practitioners are encouraged to use video communication vendors who will sign a Business Associate Agreement.
The OCR has outlined several examples of bad faith in the provision of telehealth services, which include:
- Conducting or furthering a criminal act
- Intentional invasion of privacy
- Further uses of PHI transmitted during telehealth communications, such as using PHI for marketing without prior authorization
- Violations of state licensing laws and professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth
- Use of public-facing communication products such as Slack, Facebook Live, Twitch, and TikTok, as they do not have sufficient privacy protections
The OCR has also provided guidance on how to ensure privacy when providing telehealth services. Healthcare providers must take steps to ensure that telehealth services are conducted in a private setting. When this is not possible, providers should use reasonable precautions such as lowering voices, not using speakerphone, and advising the patient to move away from others when discussing PHI.
HIPAA Compliance During COVID-19: What You Need to Know
You may want to see also
Media disclosures
All other information may not be disclosed to the media or any individual not involved in the care of a patient without first obtaining written consent from the patient in question. This includes disclosures to the press or public postings on a facility's website or social media accounts.
It is important to note that the media and patients' family members are not subject to the HIPAA privacy protections and may be able to share data more freely. However, if a patient has previously objected or restricted the disclosure of their health information, HIPAA permits limited disclosures without patient authorization to the media and to persons who are not involved in the patient's care. For example, a hospital can confirm that a particular person is a patient and provide general information on the patient's condition, such as whether the patient is in critical condition or has been released.
In summary, while HIPAA-covered entities must comply with HIPAA rules when disclosing patient information to the media, the media itself is not bound by these rules and may have more flexibility in sharing information. However, other federal and state laws may apply to media disclosures, and it is important for the media to respect patient privacy and only share information with the patient's consent.
Adultery Laws in Washington: What You Need to Know
You may want to see also
Frequently asked questions
No, HIPAA laws do not apply to athletes in this situation. While HIPAA laws protect the privacy of patients and require their consent before disclosing their health information, they do not apply to team physicians or trainers employed by sports organizations or franchises. These medical officials are subject to their employers, not HIPAA.
A business that is neither a Covered Entity nor a Business Associate may have indirect HIPAA obligations regarding employee health information, but only in the context of the employer's group health plan. Since an employer typically learns of an employee's COVID-19 diagnosis directly from the employee, HIPAA group plan obligations are unlikely to impact the employer's disclosure of such information.
HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such cases, they can provide limited information if a request is made about a patient by name. The information disclosed should be limited to the patient's general condition and location within the facility, provided it aligns with the patient's wishes. All other information requires written consent from the patient.
Yes, OCR issued guidance confirming that disclosures of PHI are permitted to allow first responders to provide treatment and take steps to reduce the risk of contracting COVID-19. PHI may also be shared when required by law or to prevent or lessen a serious and imminent threat.