Hipaa Compliance: Covid-19'S Impact On Healthcare Privacy

do hippa laws apply during covid 19

The COVID-19 pandemic has raised several privacy and security concerns regarding the application of the Health Insurance Portability and Accountability Act (HIPAA). While the HIPAA Privacy Rule, which safeguards patients' protected health information (PHI), was not waived during the pandemic, certain provisions were relaxed to facilitate treatment and public health protection. This included allowing covered entities and business associates to disclose PHI without patient authorization to treat patients, coordinate with public health authorities, and notify family or friends. Additionally, healthcare providers were exempt from sanctions for specific HIPAA violations when providing telehealth services in good faith. These measures were implemented as part of the COVID-19 Public Health Emergency declaration and are subject to change as the situation evolves.

Characteristics Values
HIPAA Privacy Rule Protects the security and privacy of peoples' Personal Health Information (PHI)
HIPAA Privacy Rule Waiver Allowed in specific instances during COVID-19 as it is a national Public Health Emergency
Covered Entities Health plans, health care providers, health care clearinghouses, and business associates
Business Associates Person or entity that carries out activities involving PHI on behalf of a covered entity
Telehealth Allowed during COVID-19
Telehealth Technology Apple FaceTime, Facebook Messenger, Google Hangouts, Zoom, and Skype
Telehealth Services Audio-only or combination audio-video
Telehealth and HIPAA Telehealthcare providers won't be penalised for violating certain HIPAA Privacy, Security, and Breach Notification Rules during COVID-19
Minimum Necessary Requirements PHI disclosure should be the minimum amount of information required to accomplish the purpose of the disclosure
HIPAA Security Rule Sets out steps that covered entities must follow to secure electronic PHI (e-PHI)
HIPAA Sanctions and Penalties HHS will not impose sanctions and penalties on covered hospitals that do not comply with certain HIPAA privacy requirements for 72 hours from the time a hospital implements its existing disaster protocol

lawshun

Telehealth services

To address these challenges, the U.S. Department of Health and Human Services (HHS) has waived a number of telehealth rules during the COVID-19 public health emergency. Firstly, the originating site requirement has been suspended, allowing patients to receive telehealth services anywhere, including their homes. Secondly, there will be no HIPAA penalties for clinicians providing telehealth services in good faith. This means that, during the public health emergency, telehealth services can be delivered through common video-calling applications such as Skype or FaceTime without fear of penalty. However, state medical privacy laws may still apply. Thirdly, the established patient requirement will not be enforced, meaning that HHS will not conduct audits to confirm that telehealth patients have an established relationship with the clinician.

Despite these waivers, healthcare providers must still carefully balance HIPAA requirements with the need to deliver services remotely. HIPAA requires healthcare organizations to "ensure the confidentiality, integrity, and availability of all electronic protected health information" and to "protect against any reasonably anticipated threats or hazards to the security or integrity of such information." To comply with HIPAA, organizations must implement security measures to ensure that only authorized users can access patient information, and secure channels must be used for any communication of electronic data.

The Department of Health and Human Services Office for Civil Rights (OCR), which oversees enforcement of the HIPAA Privacy and Security Rules, has temporarily relaxed requirements on telehealth services due to the COVID-19 pandemic. Healthcare providers may use any non-public-facing communication platforms, such as the video calling capabilities on smartphones, to deliver telehealth services. However, providers are still expected to act in good faith and will be subject to penalties for bad faith conduct, including criminal acts, using or disclosing patient data without authorization, violating professional ethical standards, or using public-facing platforms such as social media or public chat rooms.

While the OCR's relaxed requirements have facilitated the expansion of telehealth services during the pandemic, providers should be aware that the existing rules will go back into place once the pandemic has abated. In the long term, healthcare providers should develop a long-term strategy, evaluate highly secure technology for remote healthcare services, monitor federal and state regulations, develop protocols for telehealth use, and train clinicians and staff accordingly.

lawshun

Disclosure to public health authorities

On March 24, 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services issued guidance on how HIPAA-covered entities may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to public health authorities. The guidance explains the circumstances under which a covered entity may disclose PHI without the individual's HIPAA authorization.

Firstly, when the disclosure is for treatment purposes. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital.

Secondly, when such notification is required by law. For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.

Thirdly, to notify a public health authority in order to prevent or control the spread of disease. For example, HIPAA permits a covered entity to disclose PHI to a public health authority (such as the CDC), or state, tribal, local, and territorial public health departments that are authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions.

Fourthly, when first responders may be at risk of infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.

Fifthly, when the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.

It is important to note that while certain provisions of the HIPAA Privacy Rule can be waived during the COVID-19 national Public Health Emergency, the HIPAA Privacy Rule itself is not waived. Covered entities and business associates must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to protect patient information.

lawshun

Disclosure to persons at risk

During the COVID-19 pandemic, the Office of Civil Rights (OCR) has allowed for the disclosure of a patient's Protected Health Information (PHI) without their written permission, in certain circumstances. This is due to COVID-19 being declared a national Public Health Emergency.

PHI may be disclosed without patient authorization to persons at risk of contracting or spreading COVID-19, if state law or any other relevant law permits. Covered entities can disclose PHI without written authorization to anyone who may have been exposed to COVID-19 or is at risk of contracting or spreading it. This is permitted to prevent or control the spread of the disease.

Covered entities must be able to reasonably infer that the patient would not object to the disclosure of their PHI, and that the disclosure is in the patient's best interest. If the patient is incapacitated, the covered entity must act in the patient's best interest.

PHI can also be disclosed to disaster relief organizations, such as the American Red Cross, to notify individuals involved in the patient's care of the patient's general condition or death. In this case, the covered entity does not need to obtain the patient's permission if doing so would interfere with the organization's ability to respond to the emergency.

lawshun

Disclosure to prevent or lessen a serious threat

The COVID-19 pandemic has brought about a unique set of challenges for healthcare providers, especially regarding patient privacy and the disclosure of protected health information (PHI). While the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects patients' PHI, certain provisions of the rule can be waived in specific instances during a national public health emergency like COVID-19.

One such instance is when disclosure is necessary to prevent or lessen a serious threat to the health or safety of an individual or the public. Here are some key points regarding this aspect:

  • Covered entities, such as healthcare providers, can disclose PHI without patient authorization if it is necessary to prevent or reduce a serious health threat to an individual or the public. This is permitted under 45 CFR §§ 164.512(b)(1)(iv).
  • The disclosing entity must have a good-faith belief that disclosing PHI is necessary to prevent a serious and imminent threat. The Office for Civil Rights (OCR) presumes the good faith of the disclosing entity.
  • Disclosures must be made to individuals or entities reasonably able to prevent or lessen the threat, including the target of the threat. This can include family, friends, caregivers, law enforcement, and other first responders.
  • Disclosures must be consistent with applicable laws and the provider's ethical standards.
  • Disclosures are subject to HIPAA's minimum necessary standard, meaning only the minimum amount of PHI required to accomplish the purpose of the disclosure should be revealed.
  • In March 2020, the OCR issued guidance clarifying that healthcare providers may share patient information to prevent or lessen a serious and imminent threat, consistent with applicable laws and ethical standards.
  • The guidance also emphasized that HIPAA expressly defers to the professional judgment of healthcare professionals in determining the nature and severity of the threat.
  • The disclosure of PHI to first responders is permitted if they are at risk of infection or may otherwise spread COVID-19. This is allowed if the covered entity is authorized by law to notify persons as part of a public health intervention or investigation.
  • An example would be disclosing PHI about individuals who tested positive for COVID-19 to fire department personnel, child welfare workers, or mental health crisis services personnel if the covered entity believes it is necessary to prevent or minimize the threat of exposure.
  • The guidance reminds covered entities that they must make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the purpose.

lawshun

Disclosure to the media

The HIPAA Privacy Rule protects the security and privacy of an individual's Personal Health Information (PHI). During the COVID-19 pandemic, the Office of Civil Rights (OCR) waived certain provisions of the HIPAA Privacy Rule regarding the disclosure of patients' PHI without their written authorization. This was due to the national Public Health Emergency caused by the pandemic.

Covered entities and business associates are allowed to disclose PHI without written authorization to public health authorities, such as local or state health departments, the CDC, or any person or entity granted authority by a public health agency. They can also disclose PHI to anyone who may have been exposed to, is at risk of contracting, or spreading COVID-19, as well as anyone who they believe can prevent or reduce a serious health threat by receiving the PHI.

However, unless covered by the exceptions outlined above, information about an identifiable patient (such as tests, test results, or illness details) cannot be disclosed to the media or public at large without the patient's written authorization or the written authorization of the person legally authorized to make healthcare decisions for the patient.

If a patient hasn't specifically objected to the release of PHI, a covered entity may release limited facility directory information and basic information about a patient's condition, such as "critical, stable, deceased, or treated and released."

In the event of a breach of unsecured PHI, covered entities must notify affected individuals, the Secretary of the breach, and, in certain circumstances, the media. If the breach affects more than 500 residents of a state or jurisdiction, covered entities must provide notice to prominent media outlets serving the state or jurisdiction, usually in the form of a press release.

Frequently asked questions

The Health Insurance Portability and Accountability Act (HIPAA) is a US law that sets out privacy rules requiring covered entities to limit the use and disclosure of protected health information (PHI).

Yes, HIPAA laws still apply during COVID-19. However, there are some temporary changes to the rules, such as waivers for hospitals and relief for telehealth.

Covered entities can disclose PHI without patient authorization to treat the patient or protect the public health. This includes sharing PHI with public health authorities, such as the CDC, and with people who have been exposed to COVID-19 or are at risk of contracting or spreading it.

When the public health emergency ends, the changes to HIPAA will also end, and covered entities will again have to comply with all standard HIPAA privacy requirements.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment