June 12, 2020 | By By Bryan Meek, Esq., Brennan, Manna, and Diamond
As the COVID-19 pandemic continues to wreak havoc globally, many industries have been forced to adapt to unprecedented challenges while remaining cognizant of everchanging guidance from public health officials and government agencies. Notably, the healthcare industry has been confronted with countless practical and logistical obstacles as providers strive to protect their patients, staff, and businesses while delivering services in previously unconventional ways. As they rethink convention, providers are tasked with maintaining compliance under prevailing industry standards, including regulations relative to patient privacy and confidentiality.
Since the outbreak of COVID-19, temporary modifications to these industry standards, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), have been made to accommodate the unforeseen challenges presented to the medical community. Although some mandates have been relaxed during this unusual time, the most basic tenets of HIPAA remain. As the healthcare industry continues to navigate a way forward, it is vitally important to understand privacy implications as practitioners continue to implement new protocols for providing care while safeguarding patient protected health information (“PHI”).
As providers accommodate their practices to meet the needs of patients while mitigating exposure to others, there has never been a more important time for healthcare providers to be proactive in maintaining HIPAA compliance and adapting to other government rules and regulations surrounding ongoing privacy obligations to patients. Some of the most important considerations in the patient privacy conversation are highlighted below:
- Permissible Disclosures: Treatment | Common sense prevails. Guidance from the Department of Health and Human Services (“HHS”) instructs providers that PHI may be released to public health and medical personnel for the purpose of providing direct treatment to an infected patient.
- Permissible Disclosures: Legal Mandates | Statistics are vital. Reporting confirmed or suspected cases of COVID-19 to public health officials in accordance with state guidelines is permissible under HIPAA to ensure accurate data is presented for public consumption.
- Permissible Disclosures: Control the Spread | Protecting our frontline workers is paramount. As with any threat to public health and safety, ensuring our law enforcement and emergency medical personnel remain healthy and fit for duty is essential to protecting the public. Thus, reporting confirmed or suspected cases to those who have been in direct contact is essential to mitigating the spread and keeping personnel healthy. However, care should be taken not to identify the infected person.
- Impermissible Disclosures: Media Access | Despite the above relaxations in PHI disclosures, HIPAA maintains ongoing protections relative to media access to confidential information. Without an executed, valid HIPAA authorization, health care providers may not allow media personnel access to any areas where patient PHI may be accessible in any form — even if masks are utilized, or patient faces are blurred.
- Community Based-Testing Sites | Get tested and keep PHI protected. In an effort to expand Community Based-Testing Sites, including mobile, drive-through, and walk-up locations, the HHS Office of Civil Rights (“OCR”) recently announced that it will relax its imposition of penalties against covered entities or business associates who demonstrate good-faith participation in HIPAA compliance during specimen collection or testing related to COVID-19.
- Use of Telehealth | Situational awareness and network security have never been more vital. Growth in the use of telehealth platforms as a means to communicate and provide services to patients has led to privacy concerns and compliance challenges. In response, OCR and HHS have temporarily relaxed the imposition of penalties for noncompliance with the regulatory requirements of HIPAA provided that practitioners demonstrate a good faith effort to maintain prevailing industry standards.
- Extensions to Business Associates | OCR and HHS have temporarily extended the waiver of telehealth penalties under HIPAA to business associates of a covered entity to allow for COVID-19 related data to be shared with federal public health authorities and health oversight agencies as long as a good-faith effort to maintain compliance is demonstrated and the covered entity is notified within ten days.
- Workplace Considerations | There is no “I” in “team.” There is no coughing or fevers either. As industries transition back into the workplace, public health authorities have authorized employers to screen employees for COVID-19 symptoms prior to beginning work each day. As these screenings take place, it is important for employers to document all results and remedial actions while ensuring employee privacy in consideration of both HIPAA and the Americans with Disabilities Act of 1990 (“ADA”). These results must be kept separate from an employee’s standard file.
- Contact Tracing | New technology allowing for digital contact tracing is on the rise, but the implications of HIPAA remain uncertain. The United States, Google, and Apple are working together to create a mobile application which will allow users to self-report positive COVID-19 diagnoses. The app simultaneously tracks user locations through GPS or Bluetooth technology and records when two users have been in close enough proximity for a long enough period of time for COVID-19 to be transmitted. When a user reports a positive test, the app will immediately alert other users who were near the infected user and encourage them to get tested.
- Waiver Terminations | All good things must come to an end. Although OCR and HHS have not set a timeline for the termination of waivers and the above relaxed requirements, the Trump administration has stressed that HIPAA waivers will only be in place during the pandemic. With that said, given the impact that these measures have had on the healthcare industry, the transition back to normalcy will likely be done in phases. Practitioners are encouraged to remain vigilant for new directives from state and federal health authorities.
If you need additional assistance regarding these modifications to HIPAA, advice on remaining HIPAA compliant, or HIPAA training as the industry navigates forward, please do not hesitate to contact Bryan E. Meek, Esq. (330-253-5586 or bmeek@bmdllc.com), who is an attorney in Brennan, Manna & Diamond’s Provider Relations, Audits, and Appeals Unit, a division of BMD’s Healthcare Department.