There is no doubt that the 2019 Novel Coronavirus (SARS-CoV-2) is bringing unprecedented changes to the entire world. This highly infectious disease with a high mortality rate creates many challenges for healthcare organizations, including what information can be shared with family members, public health officials, and emergency personnel. Hence, there is an understandable concern about HIPAA compliance and how the HIPAA Privacy and Security Rule apply since a disease outbreak on this scale has never been experienced.
Why Was HIPAA Created
The Health Insurance Portability and Accountability Act (HIPAA) was created primarily to regulate how personally identifiable information maintained by the healthcare and healthcare insurance industries should be protected from fraud and theft. In addition to this, its aim is to address limitations on healthcare insurance coverage and improve the flow of healthcare information.
HIPAA legislation has evolved significantly over time. Apart from the language of the Act modified to address advances in technology, its scope has been extended to cover Business Associates. This refers to third-party service providers that perform a function on behalf of a HIPAA-Covered Entity that involves the use or disclosure of Protected Health Information (PHI).
The way in which HIPAA is implemented is constantly changing in order to accommodate advances and modifications in technology and working practices, especially in light of new threats to patient privacy and the security of PHI. With the recent spread of the novel coronavirus, it was necessary to evaluate what information employers may share under HIPAA’s Privacy Rule during an outbreak of infectious disease or other emergency situations.
HIPAA Compliance during Public Health Emergencies
On January 31, 2020, the 2019 Novel Coronavirus outbreak was declared a public health emergency for the United States. While HIPAA rules still apply in situations like this one, following President Trump’s declaration of a national emergency over the Novel Coronavirus, HHS Secretary Alex Azar issued a limited waiver of certain HIPAA sanctions.
Such temporary changes to HIPAA’s requirements are one of many examples of the government’s efforts to address the public’s healthcare needs during this crisis. While HIPAA rules are still in effect, the Secretary of the HHS may choose to waive certain sanctions and penalties for non-compliance with the HIPAA Privacy Rule.
Also, the HHS’ Office for Civil Rights (OCR) may exercise enforcement discretion for non-compliance with some aspects of HIPAA Rules. The most recent OCR guidance was issued on March 20, 2020, and it confirms changes to the HIPAA requirements first described in the Notification of Enforcement Discretion released on March 17, 2020.Use this detailed guide to prevent any failure to comply with the healthcare laws and regulations and find out how to prepare for any compliance enforcement threats.
Temporary Adjustments of HIPAA Compliance Provisions
Limited HIPAA waiver issued in response to the Novel Coronavirus public health emergency only applies in the locations covered by the public health emergency. Also, it is applicable only to hospitals that have implemented their disaster protocol, and only for 72 hours from the time the disaster protocol is implemented. If the public health emergency declaration is terminated by the President or the Secretary before the end of this 72-hour period, hospitals have to comply with the provisions of the Privacy Rule.
The limited HIPAA waiver only applies to the following HIPAA compliance provisions:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care,
- The requirement to honor a request to opt out of the facility directory,
- The requirement to distribute a notice of privacy practices,
- The patient’s right to request privacy restrictions,
- The patient’s right to request confidential communications.
In addition to the waiver, the notice also reminds healthcare organizations and providers that patient information can be shared for a wide range of reasons, such as treatment purposes that improve care coordination or care management. This also includes sharing patient information with public health authorities like the Centers for Disease Control and Prevention or a local health department.
Changes to HIPAA compliance requirements include disclosures necessary for preventing or lessening serious and imminent threats. The notice outlines acceptable reasons for when to share patient information with family members, friends, and others involved with the individual’s care. However, the HHS stresses that without a patient’s consent, disclosures to the media and others not involved with the patient’s care are not allowed. Healthcare providers remain responsible for limiting unacceptable uses and disclosures while protecting patient data.
Meeting HIPAA Compliance Standards
When it comes to the coronavirus pandemic and its rapid rate of infection, it is necessary to reconsider the existing HIPAA compliance rules. Keeping the identity of infected patients or exposed individuals secret may result in escalating the problem to unimaginable magnitude. While protecting patient health information in accordance with HIPAA compliance standards is important, transparent disclosure can make a significant difference in times like these.
Even without a limited HIPAA waiver, healthcare organizations are allowed to use and disclose patient information without first obtaining authorization from patients. However, disclosed information should be restricted to the minimum amount necessary to achieve the purpose for which the information is disclosed.
Healthcare organizations and providers have to follow strict requirements and limits set by both state and federal regulators as well as medical organizations. When faced with a diverse set of rules open to potential changes due to current threats, healthcare organizations can ensure HIPAA compliance and prevent huge violation fees by using an automated exclusion screening platform. Thus, they can perform regular audits to identify possible risks for data breaches or privacy violations and ensure electronic protected health information security. Also, the implementation of features, such as secure data storage, data backup, and encryption, or authorization monitoring, allows healthcare organizations to ensure both PHI security and privacy and maintain HIPAA compliance.