The HIPAA Privacy Rule Is NOT Suspended During COVID

  Every medical professional's worst nightmare? A HIPAA Privacy Rule violation. HIPAA is the Health Insurance Portability and Accountability Act. This law established the legal protection for a patient's health and medical records. These regulations are mostly enforced by the US Department of Health and Human Service's Office for Civil Rights (OCR). Following HIPAA remains one of the most important considerations for medical professionals. This covers protected health information (PHI) for patients across the board. While the COVID pandemic has made it more complicated, the HIPAA Privacy Rule is still in effect. One of the most important ways to keep a workplace safe under these conditions is to ensure the maintenance of HIPAA policies. Keep reading for more information on the HIPAA privacy rule in the context of the COVID pandemic.

HIPAA Privacy and Security Rules

HIPAA was first established in 1996. Since that time, it has governed patient privacy at all levels of the healthcare cycle. According to this law, patient medical records are confidential and protected information. If there is a breach of data security, providers must promptly inform patients. This regulation was further secured with the passage of the HITECH Act in 2009. This stands for Health Information Technology for Economic and Clinical Health. This act focused on protecting patient data in the digital age. Individual states also establish their own HIPAA laws and regulations. To be specific, there are five main HIPAA rules:

  1. Privacy Rule
  2. Security Rule
  3. Transactions Rule
  4. Identifiers Rule
  5. Enforcement Rule

In respect to the COVID pandemic, HIPAA privacy and security are particularly relevant. The Privacy Rule protects patient PHI and medical records. It sets limits on the uses and disclosures of information absent patient authorization. This rule also secures the right for patients to gain access to their medical records. If there are errors, they may request corrections. The Security Rule regulates the standards, methods, and procedures of patient medical records. It protects electronic storage, accessibility, and transmission of PHI. There are three safeguard levels of security under this rule:

  1. Administrative  assignment of HIPAA security compliance team
  2. Technical  encryption and authentication procedures for those with PHI access
  3. Physical  protection of any electronic system or equipment within the facility

Together, these mandate the proper storage and protection of patient information.

Who Must Comply With the HIPAA Privacy Rule?

HIPAA rules apply to all medical practices. It also covers any other office with access to patient health information. Covered Entities includes:

  • Doctor's offices
  • Hospitals
  • Labs
  • Clinics
  • Dental offices
  • Pharmacies
  • Psychologists
  • Chiropractors
  • Nursing homes
  • Health insurance companies
  • Government programs that pay for health care (Medicare, Medicaid, etc.)

It also applies to vendors and subcontractors who work within these facilities. When sharing patient information with Business Associates, you are still under HIPAA regulations. This means you are responsible for how your Business Associates handle PHI. This is why it is critical for medical professionals to carefully select who they share PHI with. If you share PHI with Business Associates who mishandle it, their mistakes now affect you. The best way to protect yourself against this is with the use of a Business Associates Agreement. This document outlines how both parties protect PHI. It forces you to be diligent about verifying security practices. Plus, it ensures you only share PHI with trusted partners. If Business Associates are unwilling to sign this, it signals an unwillingness to take HIPAA seriously. This way, HIPAA compliance remains intact even in such uncertain times.

The Privacy Rule and Telehealth

HIPAA applies to any healthcare providers who send and receive PHI electronically. This has become trickier throughout the COVID pandemic. This is especially true with many medical professionals turning to telemedicine. This adds convenience allowing patients to receive healthcare while reducing exposure. But, it makes compliance more difficult in the process. HHS has granted discretion for enforcing HIPAA standards in telehealth communications. Yet, it can still be a slippery slope for medical professionals to put in place. They must make a consistent, conscious effort to protect the PHI of their patients.

HIPAA Privacy Rule Violation

There are various ways of violating HIPAA, whether it be intentionally or unintentionally. The most common culprit is human error. This may occur when employees leave sensitive information in plain view of others. Or, it could occur when patient information is mistakenly sent to the wrong party. Other common examples of HIPAA violations include:

  • Unsecured records
  • Hacking and data breaches
  • Incorrect disposal of patient records
  • Failing to adhere to state HIPAA laws
  • Lost or stolen non-encrypted devices

The sense of disconnect from normal workflows has made everyone feel more disorganized. This only increases the likelihood of inadvertently violating HIPAA. It's important for professionals in all practices to understand the HIPAA Privacy Rule in its new context of the COVID pandemic. With no clear end to this pandemic, there is no time but the present.

HIPAA Privacy Rule and COVID

One of the biggest issues throughout the COVID-19 pandemic is controlling the spread. This has thus raised other questions particularly, about the role of HIPAA. Under ordinary circumstances, there would be no debate. It would be outlandish for doctors to call your friends and inform them of your conditions. But everything changed with the rise of COVID and its notably quick rate of transmission. This is especially key for asymptotic carriers. With this in mind, many typical medical practices are under questioning. As such, one of the biggest questions about HIPAA is in the application of the Privacy Rule. COVID challenged the ability of medical professionals to share identifying information of someone who was been infected with or exposed to SARS-CoV-2 (also known as COVID-19). Can medical professionals share this information with law enforcement, paramedics, and public health authorities, even without the patient's permission? In essence, the answer is yes. The HIPAA Privacy Rule is still in effect. But, HHS authorized covered entities to discuss PHI for potential or confirmed COVID-19 patients. This can occur without the patient's authorization in certain circumstances. There is an important thing to note here. Even when releasing PHI, they must make reasonable efforts to limit the information disclosed. It should be the "minimum necessary to achieve the purpose, while still protecting the patient as much as possible. While not imposing penalties for certain Privacy Rule violations made in good faith, HHS is still keeping a watchful eye out to protect patient rights. Examples of these HIPAA Privacy Rule exceptions are in greater detail below.

When Disclosure Is Required to Provide Treatment

In some situations, disclosure is absolutely needed to provide proper treatment. But, the patient may be incapacitated or otherwise unable to provide consent. Without full disclosure, they may not receive adequate medical care in line with the effects of that condition. This is especially important for COVID patients. For example, a patient in a covered nursing facility may be suffering from symptoms of COVID. Onsite personnel has called for emergency medical transport to bring this individual to the hospital. It is imperative that onsite personnel disclose PHI for this patient to the first responders. This way, the patient can be properly cared for in route to the hospital. Plus, their condition can be more quickly relayed to hospital staff upon arrival.

When Notification Is Required by Law

Another situation in which it is permissible to disclose PHI is when required by law. For example, let's keep up with the patient transported from a nursing facility. There are certain legal requirements of hospital staff upon the patient's arrival. HIPAA covers the covered entity (in this case, the hospital). They are permitted to disclose this patient's COVID status with public health officials. This is done under state laws requiring such a report to state disease professionals.

To Prevent or Control Spread of Disease

The HIPAA Privacy Rule also permits covered entities to disclose PHI to a public health authority. Most commonly, this may be the Centers for Disease Control and Prevention (CDC). Other examples include state, local, territorial, or tribal public health departments. These entities are authorized under the HIPAA Privacy Rule to collect this information for use in the following purposes:

  • Preventing/controlling disease
  • Preventing/controlling injury
  • Preventing/controlling disability
  • Public health surveillance
  • Public health investigations
  • Public health interventions

When it serves to meet these goals, sharing PHI is permitted.

When First Responders May Be Exposed to Infection

This exception is especially important during COVID-19. Due to the high transmission of this disease, police officers, firefighters, and EMTs frequently face exposure. Plus, they may not always be aware of instances of exposure. In light of this, it is permissible under the HIPAA Privacy Rule to share pertinent PHI with a first responder. This would occur in compliance with applicable state laws, in order to notify the first responder during the conducting of a public health intervention or investigation. This can also apply to other professionals who may not be seen as the typical "first responder, but have frequent contact with the public. This could include:

  • Child welfare workers
  • Mental health crisis services personnel
  • Others charged with protecting the health and safety of the public

If these individuals have been exposed to COVID in their workplace duties, they may be notified in compliance with the HIPAA Privacy Rule in order to mitigate further spread.

Upon Request of Correctional Institutions/Law Enforcement Officials With Custody of Inmates

Officials from correctional institutions or other law enforcement facilities may request PHI for individuals they have custody of. This might be needed for various functions, including:

  • Providing health care to the individual
  • The health and safety of the individual
  • The health and safety of the other inmates, officers, employees, and others present at this facility
  • The safety and security of transporting and holding the individual
  • The administration and maintenance of the safety, security, and good order of the correctional institution

Under this exception, the HIPAA Privacy Rule would allow for covered entities within a prison to share an inmate's positive COVID test results with correctional officers within the facility. Because this is to ensure the health and safety of everyone at the prison, it satisfies the HIPAA Privacy Rule under these circumstances.

Educating Yourself on HIPAA Regulations

In such changing times, it can be challenging to identify the best way to align with HIPAA and keep patient information safe. The best course of action is to conduct a HIPAA privacy rule risk assessment when needed. There are security risk assessment resources available from the National Coordinator for Health Information Technology, in collaboration with the HHS Office for Civil Rights, to assist with this. For any professionals that may come into contact with patient PHI, it's important to stay informed on HIPAA regulations. It is the best way to keep yourself'and your patients protected. There are various ways to go about staying on top of HIPAA regulations. The easiest and most effective way is usually to take certification or refresher courses regularly. This way, you can remain confident in your abilities to uphold HIPAA regulations at all times.

HIPAA Exams Is Here to Help

The COVID-19 pandemic has brought about unprecedented circumstances across the board. But, this does not have to compromise the integrity of the HIPAA Privacy Rule. Brushing up on HIPAA regulations especially in the context of our new normal can ensure the safety of patient data and medical records. While this is not an easy task, HIPAA Exams is here to help. With our low-cost, highly-accredited courses, we make compliance a breeze. We even offer a specific course on COVID-19 in Healthcare, to sharpen your skills in applying these federal regulations. For more information or to enroll in a course, contact HIPAA Exams today.

For 2021 Guidelines for Healthcare Workers, please click here. For 2021 Guidelines for Business Associates, please click here.