As some colleges attempted to hold in-person classes this fall and experienced COVID-19 outbreaks, they faced the dilemma of how much information they could disclose without violating students’ privacy rights under the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA), according to an article published by The Wall Street Journal titled “Colleges Weigh Transparency Versus Privacy When It Comes to Covid-19 Data.”
HIPAA is a federal law that safeguards the privacy of protected health information (PHI) or individually identifiable health information. The HIPAA Privacy Rule, in particular, specifies when organizations that must comply with the regulation (a.k.a., “covered entities” and their business associates) can legally disclose PHI, according to the U.S. Department of Health and Human Services (HHS).
Just as the novel coronavirus has significantly altered procedures in other areas of life during the past six months or so, the pandemic has also necessitated some changes in HIPAA compliance requirements to balance patient privacy rights with public health authorities’ need to access COVID-19-related data and healthcare providers’ ability to effectively respond to the public health emergency.
If you’re concerned about maintaining HIPAA compliance during these tumultuous times, here are some key things you should know about how regulatory requirements have changed since the beginning of the crisis in the U.S.
1. HHS waived penalties and sanctions for covered hospitals that don’t comply with certain HIPAA Privacy Rule provisions.
Effective March 15, 2020, Secretary of HHS Alex M. Azar waived penalties for covered hospitals that don’t follow these requirements:
- Patient’s right to request privacy restrictions
- Patient’s right to request confidential communications
- Distribution of a notice of privacy practices
- Honoring of requests to opt out of the hospital’s facility directory
- Securing the patient’s agreement before talking to family members or friends involved in their treatment
It’s important to note that this waiver only applies to hospitals that are located in the area specified by the public health emergency declaration and that have instituted a disaster protocol. Additionally, it only applies for up to 72 hours after the hospital administers its disaster protocol. For more information, please read the full HIPAA and COVID-19 bulletin from HHS.
2. Business associates of covered entities won’t necessarily face penalties for good faith uses and disclosures of PHI for public health and health oversight purposes.
In a press release issued earlier this year, the HHS Office for Civil Rights (OCR) clarified that it will “exercise its enforcement discretion” and not impose penalties for violations of certain Privacy Rule provisions if a covered entity or business associate makes a “good faith use or disclosure” of PHI for public health and health oversight activities related to the pandemic.
“This Notification was issued to support Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI,” the release states.
While covered entities could already legally share PHI with public health authorities and health oversight agencies under the HIPAA Privacy Rule, their business associates previously could not unless expressly permitted via their business associate agreement. For details, please visit the HHS website to read the full notification of enforcement discretion.
3. Healthcare providers won’t necessarily get penalized for violations related to the good faith provision of telehealth services.
The HHS OCR also issued a notification of enforcement discretion clarifying that the agency won’t penalize healthcare providers for not complying with HIPAA if the violations are related to the good faith usage of non-public facing audio and video communication solutions for telehealth purposes. For example, that means care providers can use Zoom, Google Hangouts, Apple FaceTime and Facebook Messenger video chat to treat COVID-19 patients remotely. The usage of public facing apps like Twitch, TikTok and Facebook Live isn’t permitted, however. Visit the HHS website for more information.
4. HHS won’t necessarily impose penalties for non-compliance related to the good faith operation of a COVID-19 Community-Based Testing Site (CBTS).
The HHS OCR does, however, advise that testing sites leverage “reasonable safeguards,” such as putting up canopies or other barriers that give people some privacy while healthcare providers administer tests. For more details, please visit the HHS website to read the full notification of enforcement discretion.
For those who’d like information about HIPAA and COVID-19 in general, the HHS website has a dedicated page including all OCR HIPAA announcements, notifications of enforcement discretion, guidance and other resources. Please note that this isn’t an exhaustive list of changes to compliance requirements, and the notices of enforcement discretion described in this blog post are subject to change by the HHS OCR.
If you’d like to learn more about HIPAA compliance during the COVID-19 pandemic and in general, our team would be happy to help you in any way that we can. To serve our clients in the healthcare industry as effectively as possible, we are a fully HIPAA compliant technology partner. All our staff members have gone through training on how to properly safeguard PHI, and we offer HIPAA Compliance as a Service. For details, just give us a call at 877-599-3999 or email firstname.lastname@example.org.