Preparing for the New Abnormal: Documenting HIPAA Compliance During COVID-19
In the heat of the coronavirus pandemic, healthcare organizations around the world have scrambled to balance patient privacy with the healthcare needs of patients and the community. And regulators in multiple countries have eased enforcement of privacy laws for providers who make good faith efforts to comply during this extraordinary time.
But what happens after the pandemic? In hindsight, will patients, regulators, and the public be forgiving of privacy decisions made by embattled healthcare organizations? How can healthcare providers protect themselves, in case communal memory proves short?
Don’t Let Today’s Virus Become Tomorrow’s Headache
In a recent Privacy Collective panel discussion, two privacy experts cautioned that today’s “discretionary actions” may become tomorrow’s headaches, if healthcare providers aren’t careful.
Both Adam Greene, partner at Davis Wright Tremaine and a former regulator at HHS, and Richard Chapman, Chief Privacy Officer at UK HealthCare, stressed the importance of documenting privacy decisions today to prepare for the questions that may arise in future. Citing the many questions his clients have asked about the current U.S. Department of Health and Human Services “discretionary actions,” Greene acknowledged the ultimate question about COVID-influenced privacy decisions:
“How do we unwind them when this is all over?”
The advice from both Chapman and Greene centered around consistency and documentation.
Consistency Remains Key to HIPAA Compliance
Chapman reported that post-COVID questions are very much on the minds of his management.
“As my boss liked to remind us, at some point, we’ll have to document our rationale when we have made policy exceptions and be able to justify them. One of the strategies we implemented early on was to create a multi-disciplinary regulation group that met twice a week to go through the announcements from HHS and make sure whatever guidance we were giving was consistent.”
Consistency is one of the factors that regulators generally look at in assessing privacy programs, so documentation about current exception handling should be invaluable in addressing future questions and demonstrating compliance.
HIPAA Exceptions Will Expire
During the panel discussion, Greene was asked, if a question came up in the future, is there a chance that OCR would assess under the rules in force at that time. Greene acknowledged that there are risks but said current OCR guidance implies that the rules will not be changed retroactively.
“If, for example, someone ‘Zoombombs ‘your telehealth session while this enforcement discretion is in effect, OCR seems to be saying that they would not go back and enforce the breach notification rule against you. Which doesn’t mean that the HIPAA breach notification rule doesn’t apply or that a state Attorney General might not expect you to do a breach notification. But OCR seems to be saying that if you choose not to do a breach notification, they’re not going to enforce against you.”
Greene cautioned, however, that the enforcement discretions are time limited.
“We don’t have a definitive end, but OCR has indicated that, when the emergency situation is over, they will provide notice that these enforcement discretions have ended. It raises a really big question.
If today, in a rush to get telehealth up and running, I don’t have good security and the sessions are being recorded, I might not know about that until someone comes across it two years later. Technically speaking, enforcement discretion may be over at that point, and my breach notification obligation seemingly happens when I discover the breach, perhaps when a security consultant discovers that recordings of telehealth sessions are floating around in the cloud. You could certainly argue that breach notification could be required at that time. So, we can’t forget about security entirely now, and we have to anticipate these possibilities.”
“Good Faith” Requires Proof
The HHS announcements speak of “good faith” efforts towards privacy in providing healthcare during the pandemic. For example, a recent article in HIPAA Journal states:
In cases where HIPAA Rules have not been followed to the letter, OCR will consider all facts and circumstances to determine whether there has been good faith provision of telehealth services.
So, if questions come up later, it will be important to have those facts and circumstances well documented. Think about the many things healthcare and privacy staff can document now to prove good faith and consistency in the future:
- Doctors can document good faith efforts to obtain patient consent for disclosure to family, friends, and others who are involved in healthcare decisions or who may have been exposed to COVID-19.
- When healthcare organizations have to adapt privacy processes to current circumstances, the discussion and decisions can be documented. (In a recent blog, we explored Chapman’s excellent example of deciding how to present privacy policies to patients during telehealth consultations.)
- If there are privacy-related incidents, such as the Zoombombing that Greene posited, and decisions are made not to notify because of current waivers, incident response teams can document those considerations in the incident record. (If you are reviewing incident notification recommendations in the Radar incident response automation platform, you can enter this information when you enter your notification decisions.)
Withstanding the Judgement of (HIPAA) History
It remains to be seen how today’s privacy decisions will be viewed in the future, but there is reason for concern. As the pandemic begins to ease, backlash has begun against stay-at-home orders and other measures taken to ensure public health. And until there is a vaccine, exposure to coronavirus could have social implications.
For example, a positive antibody test might give a would-be delivery driver a hiring advantage, if an employer decides temporary immunity reduces the risk of sick time. Or a positive virus test could prompt discrimination if providers were to refuse service or care in order to protect themselves. The privacy questions that arose from the HIV/AIDS epidemic provide a taste of the issues that could soon arise around COVID-19 disclosures.
The saying goes that “hindsight is 20/20,” but a person’s view also depends on where they are standing. Regulators and patients looking back on today’s privacy decisions may not always understand what the conditions were on the ground at this time. If that happens, thorough documentation will be the best defense against potentially punitive judgement. So, here’s an aphorism for our time: “An ounce of documentation is worth a pound of hindsight.”
If you want to attend upcoming online sessions, receive new content, and network with colleagues about privacy challenges, you can join The Privacy Collective here.
Topics: The Privacy Collective