Coronavirus And Hipaa: What You Need To Know

do hippa laws apply to coronavirus

The Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The HIPAA Privacy Rule and Security Rule apply during a public health emergency, such as the COVID-19 pandemic. While the HIPAA Privacy Rule safeguards Protected Health Information (PHI), the Security Rule protects electronic PHI (e-PHI). During the COVID-19 pandemic, there was confusion about what information could be shared about individuals who had contracted the virus, been exposed to it, or those with whom this information could be shared.

Characteristics Values
HIPAA Covered Entities Healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities
Permitted Uses and Disclosures of PHI in Emergencies Treatment, coordinating and managing care, patient referrals, and consultations with other healthcare professionals
Permitted Disclosures of PHI to First Responders Treatment, reducing the risk of contracting COVID-19, preventing or lessening a serious and imminent threat, and when required by law
Permitted Disclosures of Information to Individuals Involved in a Patient's Care Friends, family members, caregivers, and other individuals involved in the patient's care
Permitted Disclosures of Information to the Media Limited information, including the general condition of the patient and their location in the facility
Non-HIPAA Covered Entities Employers, employees, and non-healthcare professionals

lawshun

HIPAA-covered entities and COVID-19

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements, and the HIPAA Security Rule to protect specific information covered by the Privacy Rule.

HIPAA-covered entities include healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates. Healthcare providers are covered by HIPAA if they electronically transmit health information in connection with certain transactions, such as benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule. Health plans refer to health, dental, vision, and prescription drug insurers, health maintenance organizations, Medicare, Medicaid, employer-sponsored group health plans, and more. Healthcare clearinghouses are entities that process non-standard health information they receive from another entity into a standard format or vice versa. Business associates are non-members of a covered entity's workforce who use individually identifiable health information to perform functions for a covered entity.

During a public health emergency, such as the COVID-19 pandemic, the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients' protected health information (PHI) and requires reasonable safeguards to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.

HIPAA-covered entities may disclose PHI without a patient's authorization for treatment purposes, coordinating and managing care, patient referrals, and consultations with other healthcare professionals. During the COVID-19 pandemic, it is essential for covered entities to notify public health authorities, such as the Centers for Disease Control and Prevention (CDC) and state and local health departments, about infected patients to ensure public health and safety. Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to specific individuals or the public and to individuals involved in a patient's care, such as friends, family members, and caregivers.

When public health emergencies are declared, the Secretary of the HHS may waive certain sanctions and penalties for non-compliance with specific provisions of the HIPAA Privacy Rule. For example, during the COVID-19 pandemic, a limited HIPAA waiver was announced, covering provisions such as the requirement to obtain a patient's agreement to speak with family members or friends involved in their care and the patient's right to request privacy restrictions. This waiver was applicable only in areas covered by the public health emergency and for hospitals that implemented their disaster protocols.

HIPAA-covered entities must comply with the HIPAA Privacy, Security, and Breach Notification Rules when using online tracking technologies. They are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes without individuals' HIPAA-compliant authorizations would constitute impermissible disclosures.

In summary, during the COVID-19 pandemic, HIPAA-covered entities must continue to comply with the HIPAA Privacy and Security Rules while disclosing PHI as necessary for public health and safety and coordinating patient care.

lawshun

The HIPAA Privacy Rule

The Rule requires appropriate safeguards to protect the privacy of PHI and sets limits and conditions on how this information may be used or disclosed without an individual's authorization. The Rule also gives individuals rights over their PHI, including the right to examine and obtain a copy of their health records, to direct a covered entity to transmit their PHI to a third party, and to request corrections.

PHI is defined as information that relates to:

  • An individual's past, present, or future physical or mental health condition
  • The provision of healthcare to the individual
  • The past, present, or future payment for the provision of healthcare to the individual

PHI includes many common identifiers, such as name, address, birth date, and Social Security Number.

The Privacy Rule permits covered entities to use and disclose PHI, without an individual's authorization, for the following purposes:

  • Treatment, payment, and healthcare operations
  • Opportunity to agree or object to the disclosure of PHI
  • Incident to an otherwise permitted use and disclosure
  • Public interest and benefit activities
  • Limited data set for the purposes of research, public health, or healthcare operations

Covered entities include:

  • Healthcare providers: Every healthcare provider, regardless of the size of the practice, who electronically transmits health information in connection with certain transactions.
  • Health plans: Health, dental, vision, and prescription drug insurers; health maintenance organizations; Medicare, Medicaid, and other government-sponsored health plans; long-term care insurers; and employer-sponsored group health plans.
  • Healthcare clearinghouses: Entities that process non-standard information received from another entity into a standard format or vice versa.
  • Business associates: A non-member of a covered entity's workforce that performs certain functions or activities on behalf of a covered entity, such as claims processing, data analysis, utilization review, and billing.

The Privacy Rule also contains standards for individuals' rights to understand and control how their health information is used. It protects individual health information while allowing necessary access to promote high-quality healthcare and protect the public's health.

lawshun

The HIPAA Security Rule

The Security Rule is designed to be flexible and scalable so that covered entities can implement policies, procedures, and technologies that are appropriate for their specific size, structure, and risks to consumers' ePHI. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with specific transactions.

To comply with the HIPAA Security Rule, covered entities must:

  • Ensure the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit.
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information.
  • Protect against reasonably anticipated, impermissible uses or disclosures.
  • Ensure compliance by their workforce.

The Security Rule defines "confidentiality" as ensuring that ePHI is not available or disclosed to unauthorized persons. "Integrity" means that ePHI is not altered or destroyed in an unauthorized manner, and "availability" means that ePHI is accessible and usable on demand by an authorized person.

Covered entities must implement administrative, physical, and technical safeguards to maintain compliance with the Security Rule. Administrative safeguards refer to the policies and procedures that outline how a covered entity protects its PHI. Physical safeguards involve controlling access to the physical structures and electronic equipment of a covered entity to prevent unauthorized access to ePHI. Technical safeguards encompass the technology and the policies and procedures for its use that protect and control access to ePHI.

To comply with the Security Rule's implementation specifications, covered entities must conduct a risk assessment to identify threats or hazards to the security of ePHI and implement measures to protect against these threats and unauthorized uses and disclosures of information. This risk assessment should be tailored to the covered entity's circumstances and environment, including its size, complexity, technical infrastructure, and the probability and criticality of potential risks to ePHI.

lawshun

Disclosures of PHI to first responders

On March 24, 2020, the Office for Civil Rights (OCR) issued guidance on disclosures of protected health information (PHI) to first responders, law enforcement officers, paramedics, and public health authorities that do not require a HIPAA authorization. The guidance document provides examples of permitted disclosures, such as the provision of a list of individuals who have tested positive for COVID-19 to an EMS dispatch. This allows EMS personnel to take extra precautions, such as wearing PPE, when responding to a call where there is a risk of infection.

The OCR guidance document confirms that disclosures of PHI are permitted to allow individuals to provide treatment to patients, to allow first responders to take steps to reduce the risk of contracting COVID-19, when a disclosure could prevent or lessen a serious and imminent threat, and when required by law. PHI may also be shared with a correctional institution or law enforcement when responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, under certain circumstances.

PHI can be disclosed without first receiving authorization from a patient for treatment purposes. Disclosures are also permitted for coordinating and managing care, for patient referrals, and for consultations with other healthcare professionals. With a disease such as COVID-19, it is essential for covered entities to notify public health authorities of an infected patient, as the public health authorities will need information to ensure public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for ensuring the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases, PHI may be shared without obtaining authorization from the patient.

In all instances, a covered entity should take reasonable attempts to restrict the disclosed data to the least amount required to achieve the reason for the disclosure. The HIPAA Minimum Necessary Standard applies to all disclosures of PHI, except for those made by healthcare providers for the purpose of providing treatment. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.

lawshun

Telehealth services during COVID-19

Telehealth services have become increasingly popular during the COVID-19 pandemic, as they allow patients to receive medical care remotely and safely. Telehealth includes video, audio, remote patient monitoring, and electronic medical record platforms, and it extends to provider administration and continuing medical education.

During the pandemic, Medicare and commercial insurance companies have relaxed restrictions on telehealth care, and many providers are now offering telehealth services as an alternative to in-person appointments. Patients can access telehealth services using a smartphone, tablet, or computer with a camera and microphone. Various methods can be used to facilitate the visits, such as Zoom, Skype, WhatsApp, and other video conferencing platforms.

Telehealth services offer several benefits, including increased access to medical care, reduced wait times, and improved efficiency. They are particularly useful for patients with complex medical conditions or risk factors, such as those with COVID-19, as they can receive care without the need for in-person visits. Telehealth is also ideal for follow-up visits and remote monitoring of vital stats, such as blood pressure or glucose levels.

In addition, telehealth has been successful for counseling and behavioral health services, allowing patients to address mental health issues without going into an office. It has also facilitated integrated, team-based care, where specialists can assemble via video and provide recommendations from their own perspectives.

However, it is important to note that telehealth may not be suitable for all types of appointments, and some visits may still need to take place in person. Additionally, while telehealth can provide convenience and accessibility, there may be a learning curve for both providers and patients in adopting new technologies and platforms.

Frequently asked questions

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent.

Yes. During a public health emergency such as a disease outbreak, the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.

Yes. Healthcare communications between employers and employees are not governed by the HIPAA Privacy Rule, which would not apply if an employee tells an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would only apply if an employer is informed about an employee testing positive for the virus by the employer’s health plan.

You may file a complaint with OCR if you feel your rights under the HIPAA Rules were violated.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment