In the wake of COVID-19, HIPAA’s security and privacy rules addressing the disclosure of protected health information and, in particular, electronic protected health information are front and center.
Download this FYI as a printable PDF
Background
The U.S. Department of Health & Human Services Office for Civil Rights (OCR), the enforcement arm for the Health Insurance Portability and Accountability Act (HIPAA), has issued several pieces of guidance to help covered entities and business associates understand their compliance obligations with HIPAA’s rules to continue safeguarding individuals’ protected health information (PHI) and electronic protected health information (ePHI) during the COVID-19 pandemic.
Guidance
Guidance released by OCR has included bulletins, notifications of enforcement discretion, and other announcements. While much of the content is aimed at health care providers, there are implications for group health plans. The guidance covers enforcement waivers and identifies circumstances where PHI can be disclosed without obtaining an individual’s permission; however, the OCR is clear that waivers are temporary and reaffirms privacy rule protections are not set aside even during an emergency. Particular guidance of note focuses on the permitted disclosure of PHI, provision of telehealth services, and business associates’ obligations.
Permitted disclosure
OCR’s Bulletin, released in February, addresses the ways patient information may be shared under the HIPAA Privacy Rule without seeking permission from an individual. The guidance, confirming the long-standing rules on disclosure, notes that PHI can be disclosed for treatment, to public health authorities and to foreign government agencies at the discretion of a public health authority, as well as to family, friends, and others involved with an individual’s care and to prevent a serious and imminent threat to the health and safety of an individual(s) or the public. Before each of these disclosures may be made, there are certain conditions that the covered entity should evaluate. The OCR cautions that disclosure of PHI to the media and others not involved with the care of the patient is not permitted and reminds covered entities and business associates to be mindful about disclosing only the minimum amount of information necessary to accomplish the purpose.
Buck comment. In this time of the pandemic, covered entities, including health plans, should review the permitted disclosure rules with their staff.
Telehealth
Notification of Enforcement Discretion, issued March 2020, announced the OCR will not impose penalties for HIPAA violations against health care providers using telehealth services. The guidance identifies several HIPAA compliant technology vendors willing to enter into HIPAA business associate agreements, and highlights video chat apps that are public-facing and not permitted to be used for the provision of telehealth services. It affirms OCR’s position that it will waive penalties for noncompliance with HIPAA rules by health care providers as it relates to the good faith provision of telehealth services during the COVID-19 public health emergency.
Business associates
Notification of Enforcement Discretion under HIPAA, announced April 2, 2020, states the OCR will not impose penalties for violations of certain provisions of HIPAA’s Privacy Rule against health care providers and their business associates for good faith uses and disclosures of PHI during the COVID-19 public health emergency.
Health plans
Health plans are covered entities under HIPAA. As such, health plans are bound to adhere to HIPAA and to the COVID-19 related HIPAA compliance guidance and should not disclose PHI or the names of employees or members who have tested positive for COVID-19, except for the permitted disclosures outlined in their policies and procedures or pursuant to a valid authorization. HIPAA prohibits the use or disclosure of PHI for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor. Therefore, it is important to distinguish the role being played by employer representatives as it pertains to receiving this heath information. For example, if an employee’s COVID-19 status is revealed to an employer as it pertains to their absence from work and filing for disability, the information, while it should be treated as sensitive personal data and stored appropriately, is not considered PHI under HIPAA. Although an employee’s conversation with an employer is not considered PHI, employers should treat COVID-19 disclosures confidentially and consider OCR’s guidance in preparing their workplace policies related to the pandemic.
In closing
COVID-19 has touched all aspects of how we live and work. Employers are grappling with many issues to keep business afloat, while practicing sound risk management to meet compliance obligations. OCR’s guidance helps covered entities and business associates confirm and understand their HIPAA obligations in safeguarding PHI during the pandemic.
Employers should also be mindful of data privacy and security best practices as they pertain to HIPAA and COVID-19 and may want to consider the following:
- Revisit your organization’s remote access policy, which was likely not intended to address most employees working from home.
- Initiate new BAAs as necessary — have any new technologies and/or applications been deployed to access PHI?
- Educate employees about the increased cybersecurity risk of working remotely and consider conducting controlled exercises to assess your organization’s risk.
- Train those employees with access to PHI and include instructions on permitted uses and disclosures of PHI with a focus on the “minimum necessary” standard.
Review your emergency operation plan and revise as necessary.
Volume 43 | Issue 24