OCR Announces Enforcement Discretion Regarding Use of Online or Web-based Scheduling Applications for COVID-19 Vaccination AppointmentsGreg Garner
During the pandemic, care providers face many challenges. One of those challenges is maintaining HIPAA compliance during COVID-19 vaccinations.
HIPAA security rules protect patient health information. They establish safeguards that care providers must implement for protected health records.
However, things have changed in light of the COVID-19 pandemic. The Department of Health and Human Services (HHS) has made an important exception. They’ve waived some sanctions and penalties.
The waivers apply to specific provisions of HIPAA privacy rules. Recently, the OCR made an announcement regarding this matter.
To learn more about the OCR announcement regarding enforcement discretion, continue reading.
The OCR Announcement: A Brief Review
The OCR announcement for COVID-19 vaccinations has drawn much media attention. The office of civil rights (OCR) issued the notice on January 20, 2021.
In the statement, the OCR says that the agency will not impose certain penalties. The waiver applies to certain HIPAA non-compliance events.
The waiver applies to covered care provider entities and business associates. Furthermore, it applies to good-faith use of online or web-based scheduling applications.
For example, care providers might use a non-public facing web-based application (WBSA). A WBSA is a digital tool used to schedule vaccinations.
These kinds of digital tools are important. WBSAs are vital assets in the midst of the current public health emergency.
A non-public WBSA is a tool for online scheduling and COVID vaccinations. It provides healthcare professionals with appointment and scheduling information. Today, care providers use WBSAs for large-scale COVID-19 vaccinations.
The waiver applies to any incidents occurring retroactively starting December 11, 2020. The OCR emphasizes that the waiver is temporary.
Furthermore, the agency says that the waiving of penalties only applies to the scheduling of COVID-19 vaccinations. It does not apply to any other health-related activities.
Understanding HIPAA Leniency During COVID-19
By default, a non-public facing WBSA only provides access to intended parties. These parties may include healthcare providers. They may also include individuals who schedule appointments.
Furthermore, intended parties might include technical support personnel who service WBSA systems. Due to the nature of their work, IT professionals might have access to WBSA data.
However, the OCR waiver does not include all scheduling applications. For instance, it does not apply to WBSA systems that connect directly to patient records (EHRs).
If a breach were to occur within a WBSA system that connects directly to EHRs, the OCR might still face fines. It’s important to understand this point.
Your organization can still face certain risks. For example, you might use a COVID-19 vaccination schedule. If it connects directly to patient records, you’ll need to exercise caution.
The pandemic presents a different kind of challenge. Caregivers must notify public authorities about infected individuals.
Public agencies, such as the CDC, need this kind of information. The agencies use the information to protect public health and safety.
For this reason, care providers can now share information with agencies such as the CDC. They can also share information with other agencies. However, those agencies must hold responsibility for ensuring public safety.
These kinds of disclosures prevent the spread of the coronavirus. For this reason, the OCR has granted a limited waiver. It allows care providers to share patient information as needed.
Maintaining Compliance During COVID Vaccinations
Still, the OCR recommends that caregivers use reasonable safeguards when using WBSAs. Safety measures include complying with the minimum necessary rule when scheduling vaccinations. They also include using encryption to protect patient information.
Furthermore, care providers should enable all available privacy settings. Take, for instance, your organization’s WSBA calendar. You should adjust the display settings to show initials instead of full names.
You may store your information with a third-party vendor. If so, you should make sure that that arrangement is temporary. Furthermore, you should make sure that the vendor complies with HIPAA guidelines.
It’s important that your partners follow the same HIPAA conventions. In this way, you can protect your organization from liability.
During the announcement, the OCR representative raised an interesting point. The point was that some organizations may still fail to implement recommended safeguards.
However, this oversight does not mean that an organization did not act in good faith. In these instances, the OCR says it may not impose HIPAA penalties.
HIPAA Compliance Challenges During the Pandemic
For healthcare organizations, the pandemic raises unique issues. Imagine your workplace, for example. Here, you must notify all staff members of the status of an infected coworker.
It’s important to let other employees know if one of their peers has been affected by COVID-19. This information is vital for enabling staff members to maintain their personal safety. However, it’s also essential for controlling the spread of the virus.
An infection could occur in your workplace. If so, it’s a best practice to disclose this information. However, you must do so without revealing the affected individual’s name.
For example, you might use the word “someone” in place of that individual’s name. Alternatively, you might say that someone they’ve been in close contact with has the virus.
You’ll also need to share with staff members the date that person tested positive. It’s also helpful to assure your staff members that that individual is now self-isolating.
HIPAA and COVID-19 Workplace Challenges
The spread of the coronavirus presents several challenges in the workplace. It’s important to consider how to deal with COVID-19 infections.
It’s vital to comply with HIPAA regulations. Accordingly, you should think about how to share information without offering unneeded facts.
Most likely, there are two common issues you’ll face in the workplace when it comes to COVID-19. You might have an employee who was diagnosed with coronavirus.
Alternatively, someone may have been exposed to COVID-19. In part, your status as a covered entity will affect how you address these kinds of issues.
Understanding Allowed COVID-Related Disclosures
It helps to know what kind of entities are covered entities. You may fall into this group. If so, you can share patient information without permission. There also specific events that warrant sharing patient data without permission.
For example, you might need to share patient information. However, you may need to do so without their permission in order to provide treatment.
Treatment includes arranging or managing healthcare and other related services. Furthermore, one or more providers can consult with other providers and provide referrals.
Covered entities can also share information with family, friends, and other select individuals. However, the patient must identify these individuals as having involvement in their care.
Covered entities can also share information needed to identify or locate family members. Furthermore, you can share this information to find anyone involved in patient care.
In some instances, this might include contacting the police or the press. It can even mean sharing information with the general public.
Whenever it’s possible, however, care providers should get verbal permission from patients. At a minimum, you should have the ability to reasonably assess that a patient will not object.
Learning More About HIPAA and COVID-19 Compliance
HIPAA regulations have created quite a stir in the medical field. Now, care providers must take reasonable steps to protect patient information.
Now, however, the coronavirus has created loopholes in HIPAA policy. Some people worry that this can leave patients vulnerable to exploitation.
Ultimately, the OCR change will result in a paper trail. This paper trail will assess individual health status. It will delve into various areas of people’s lives
Currently, the OCR believes that the pandemic overrides some rights to privacy. As the pandemic subsides, the OCR will most likely reassess their position on this matter. For this reason, it’s vital to stay informed about OCR updates.
Meanwhile, healthcare professionals must exercise good judgment. You must think carefully about sharing patient health information during the coronavirus.
Surprisingly, the guidelines for sharing COVID-19 have proved vague. Resultantly, there’s an increased risk of potential breaches of privacy. Nevertheless, the public expects a certain level of protection regarding their patient information.
For this reason, it’s a good idea for your medical staff to learn brief but highly empowering skills. These skills will enable them to navigate the balance between COVID-19 and HIPAA regulations. A highly regarded training service can help you to do just that.
The Leading COVID and HIPAA Compliance Training Available
Now you know more about the OCR announcement regarding enforcement discretion. What you need now is an accredited training provider that can help your organization manage privacy in the age of COVID-19.
HIPAA Exams can help your organization prepare staff members to manage issues related to COVID-19. What’s more, we can help you do so for a moderate fee.
Furthermore, our COVID-19 readiness class only takes 60 minutes. Most importantly, it’s a self-paced e-learning resource. It will help employees to learn the best practice recommendations of OSHA and the CDC.
For more information about COVID-19 HIPAA training, please feel free to browse our online resource.