Health Care Law Blog Banner

Health Care Law Blog

HIPAA Compliance Considerations During the Pandemic
Posted by:

HIPAA Compliance COVIDThis article has been updated with new information since it was originally published on November 16, 2020.

As health care providers continue to face new challenges relating to the COVID-19 pandemic, it is important for providers to maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Although the Department of Health and Human Services Office for Civil Rights (“OCR”) has loosened some requirements to allow health care providers flexibility during the COVID-19 pandemic, a majority of the patient protections under the HIPAA Privacy Rule have remained intact.

In March of 2020, OCR notified providers that it is exercising its enforcement discretion not to impose penalties for noncompliance with HIPAA in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. For example, the guidance permits providers to use popular applications for video conferencing, such as Zoom, FaceTime, Google Hangouts and Facebook messenger.

Providers are still encouraged to use video communication vendors who have stronger security capabilities to prevent data interception and to enter into a business associate agreement with video communication vendors to assure they will protect electronic health information. Additionally, providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

OCR has also provided updated guidance on two specific areas of HIPAA compliance: media coverage of COVID-19 patients and contacting former COVID-19 patients with information on donating plasma. OCR stated that the COVID-19 public health emergency does not impact the protections that prohibit patients’ information from being given to the media. If a patient’s protected health information were to be accessible to the media (for example, through a film crew) the provider would need to obtain a written HIPAA authorization from all applicable patients. The OCR determined that even the patient’s presence in an area of a facility dedicated to treatment of COVID-19 is protected because it reveals information about the patient’s diagnosis. If the provider obtains valid, written HIPAA authorizations from every patient in the area and every patient whose protected health information is accessible, then the media could film areas where COVID-19 patients are being treated.

Recently, OCR has provided insight as to whether a health care provider may use protected health information to contact a patient who has recovered from COVID-19. The guidance indicates that a provider may contact a patient to provide them with information on donating their plasma that contains antibodies to SARS-CoV-2, which are used for treating patients with COVID-19. HIPAA generally prohibits the disclosure of protected health information for marketing purposes without the patient’s authorization. However, the OCR does not consider contacting patients to provide information about donating plasma to be marketing. The OCR guidance further notes that while the health care provider, or one of its business associates, could contact patients for this purpose, the health care provider could not provide the information to a third party or allow a third party to contact patients with information about donating plasma.

In addition to the above, OCR issued guidance on December 18, 2020 that pertains to the use of protected health information in a health information exchange for public health purposes. A health information exchange (“HIE”) is an organization that enables the sharing of electronic protected health information between two unaffiliated entities for treatment, payment, or health care operations. OCR is exercising its discretion and not enforcing penalties on a business associate HIE for disclosing protected health information to a public health authority during the COVID-19 health emergency, even if the business associate agreement does not provide for disclosure. For example, a covered laboratory may report a patient’s COVID-19 test results through a HIE to a public health authority, if the HIE is transmitting the information as a business associate of the covered laboratory. The OCR guidance related to health information exchanges and protected health information is available here.

On January 19, 2021, OCR issued a Notice of Enforcement Discretion indicating that it would not impose penalties for noncompliance with HIPAA requirements related to the use of web-based scheduling application (“WBSA”) vendors to schedule COVID-19 vaccine appointments. The guidance is still being submitted for final publication, but is available here. A WBSA is defined as a non-public facing online or web-based application that provides for scheduling of individual appointments for services in connection with large-scale COVID-19 vaccination. OCR recognizes that providers need to quickly and effectively schedule a large number of individuals for vaccination appointments, and permits them to use WBSAs to do so despite the fact that some of the applications may not fully comply with HIPAA. Similar to the use of video communication vendors, OCR recommends providers implement reasonable safeguards when using WBSAs. The Notice of Enforcement Discretion for use of WBSAs is set to last through the COVID-19 nationwide public health emergency.

Members of the Foster Swift health care practice group continue to monitor updates to HIPAA and relevant health care regulations to help providers navigate their responsibilities during the COVID-19 pandemic. Additionally, Foster Swift has its own legal cybersecurity hotline to assist a business or organization that has experienced a data breach or cybersecurity incident. If you have any questions regarding how HIPAA applies to your organization, please contact one of the authors of this article.

While the information in this article is accurate at time of publication, the laws and regulations surrounding COVID-19 are constantly evolving. Please note that the links above to the further guidance may still be under submission to the Office of of Federal Register for publication. Please consult your attorney or advisor to make sure you have the most up to date information before taking action.

Authors

Categories

Recent Posts

Jump to Page

Foster Swift Collins & Smith PC Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek