HIPAA Compliance and COVID-19 – OCR Guidance

As the COVID-19 pandemic advances rapidly, the U.S. is taking extreme measures to mitigate the health impact of the virus. Whether you run a hospital, law firm or a medical review company, all your employees must be aware of the HIPAA Privacy Rules. The HIPAA Privacy Rule protects the privacy of patients’ protected health information (PHI).

Recently under section 1135 HIPAA waiver, certain provisions of the HIPAA Privacy Rule were waived, which include sanctions and penalties arising from a hospital’s noncompliance such as the patient’s right to request privacy restrictions and confidential communications, the requirement to – obtain a patient’s agreement to speak with family members or friends, honor a patient’s request to opt out of the facility directory and to distribute a notice of privacy practices.

OCR guidance on disclosing PHI

There could be confusion as to how health privacy restrictions apply during coronavirus pandemic outbreak. To address any questions concerning this public health emergency that healthcare providers and other parties may have regarding HIPAA rules during this COVID-19 crisis, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a bulletin in February 2020. This bulletin ensures that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule during an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.

HIPAA Privacy Rule applies only to covered entities and business associates –

• Covered entities include health plans, health care clearinghouses, and health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.
• Business associates are persons or entities that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit PHI on behalf of another business associate.

Under the Privacy Rule

• covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient
• treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment
• a covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care
• a covered entity may also share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, the police, the press, or the public at large of the patient’s location, general condition, or death
• a covered entity may share PHI with disaster relief organizations like the American Red Cross that are authorized by law to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death
• for most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose
• in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures
• public health authorities and others responsible for ensuring public health and safety can have access to PHI that is necessary to carry out their public health mission
• public health authorities such as the CDC or a state or local health department can legally collect such information for the purpose of preventing or controlling disease, injury or disability
• a health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the patient is unconscious or incapacitated
• health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and the provider’s standards of ethical conduct
• except in the limited circumstances as we discussed, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient may not be done without the patient’s written authorization

Telehealth services during COVID-19

During the COVID-19 national emergency, covered health care providers subject to the HIPAA Rules can provide telehealth services, through remote communication technologies. In its notice, OCR supports telemedicine, as increasing access to telehealth will reduce the need for healthy or non-symptomatic individuals to travel to facilities for health care, which will further reduce transmission.

It is also announced that

• OCR will not impose penalties for telehealth services provided through noncompliant remote communications technologies if the services are provided in good faith
• the agency will permit providers to use any nonpublic facing audio or video communication technology to provide services
• covered entities may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk
• providers can notify patients that these third-party applications potentially introduce privacy risks, and they should enable all available encryption and privacy modes when using such applications

CMS has also extended its Medicare telehealth coverage during the COVID-19 pandemic, making it easy for physicians, nurse practitioners, clinical psychologists, and licensed clinical social workers to offer telehealth to Medicare beneficiaries from their homes. Any business handling patient data, including providers of medical review services must be up to date with the current HIPAA rules.