Understanding HIPAA Compliance During Coronavirus
The coronavirus pandemic has required us all to adapt, and privacy teams are on the front lines, dealing with rapid and disruptive changes. To help, RadarFirst has created The Privacy Collective, a community with content and programs where we can share our challenges and learnings and move forward together. In this blog, we will look at one of the immediate challenges U.S. healthcare privacy teams have faced, the relaxation of HIPAA and other privacy regulations. (Privacy regulations are being relaxed or delayed around the world during the pandemic, leaving privacy in many countries facing similar questions.)
In March and April, the U.S. Department of Health and Human Services announced a number of waivers in its enforcement of HIPAA and other medical privacy laws to:
- expedite treatment
- provide relief for overwhelmed healthcare providers
- facilitate virus tracking and research
But the changes have also raised a lot of questions for healthcare operations and privacy practices.
To help, The Privacy Collective recently hosted a live panel discussion with Adam Greene, partner at Davis Wright Tremaine (DWT) and a former regulator at HHS, and Richard Chapman, Chief Privacy Officer at UK HealthCare, the hospitals and clinics of the University of Kentucky. Here are some of the things we learned about HIPAA compliance under the influence of COVID-19.
How Coronavirus has Changed the Rules for HIPAA Compliance
HHS has made several announcements in the last few months about temporarily relaxing enforcement of the HIPAA Privacy Rule. In fact, some of the original rules were created to specifically handle situations like the coronavirus pandemic. Before joining DWT, Adam worked on HIPAA and the HITECH Act at the U.S. Department of Health and Human Services in its Office of General Counsel and Office for Civil Rights, so we asked him about the provisions for this kind of situation.
What HIPAA Privacy Rule disclosures already existed to handle a situation like COVID-19?
Answer: (Greene) “Back in 2000, when HHS was finalizing the privacy rule, infectious disease was certainly on the radar. So, there are a lot of things in the HIPAA toolkit to address this. One powerful tool is that one person’s information can be used to treat another person.
For example, if you get a COVID-19 positive result of one patient, you can use that information to treat other people who may have been exposed, such as family members, staff, first responders, or others, when it may be relevant to their diagnosis and treatment.
There are also permitted disclosures to public health authorities. And there are certain permissions to notify people who may have been exposed to an infectious disease, although that can be a bit more complicated because the HIPAA permission looks at ‘serious and imminent threat’. That standard that has more commonly been applied, for example, to people who express violent intent during therapy. But it does also apply to public health situations.”
The COVID situation has also created a surprising amount of confusion about what constitutes protected health information. We think of PHI as being well-defined under the law but reporting to health authorities and the press has raised questions of what is “identifiable.” Adam Greene explained the questions he’s fielding from his clients.
What qualifies as PHI now?
Answer: (Greene) “The first big questions I was seeing were around reporting:
- ‘When we get our first COVID-19 case, can we confirm that?’
- ‘Can we say we have a COVID-positive patient if we don’t mention their name?’
The issue is that, in order to not be treated as individually identifiable, patient information either goes through de-identification by an expert, which no one has time for, or it has to pass the “safe harbor” method. That includes getting rid of 18 categories of identifiers, such as date of service, plus confirming that no receiver of the information would know who you’re talking about.
The “actual knowledge” test is hard: the general public might not know who you’re talking about, but others in the community might know exactly. Also, if you’re reporting about aggregate information such as, “This week we have 12 COVID patients,” is that PHI? Lots of people think not, but there is some theoretical risk there. I don’t think regulators are jumping to enforce the rules against these kinds of disclosures, but it is important to recognize that there’s a risk.”
Adapting Privacy Practices to the New (Temporary) HIPAA Rules
Richard Chapman has the “boots on the ground” perspective on the HHS announcements. He told us his team has had to be agile in interpreting, applying, and communicating the modified HIPAA guidelines to UK HealthCare’s operations and employees.
Have your privacy processes changed as a result of modified OCR guidance?
Answer: (Chapman) “We’ve definitely had an evolution of process. Normally, when new guidance comes out from regulators, we can take time to think it through in our privacy and compliance office, figure out how it applies to us, and communicate this guidance out to different groups. When we got the February reminder guidance from OCR, we realized that we would have to move a lot more quickly. We needed to stay better coordinated so we could be consistent in giving guidance to other parts of the organization.
As my boss liked to remind us, ‘At some point, we have to unwind some of this. We’ll have to document our rationale when we have made policy exceptions and be able to justify them.’ Early on, we created a multi-disciplinary regulation group that met twice a week to go through the announcements from HHS and make sure whatever guidance we were giving was consistent.”
Has your organization’s treatment of PHI changed as a result of COVID-19?
Answer: (Chapman) “The PHI was also an important piece for us. For example, if we report to public health that we have an employee infected, how do we treat this information? Fortunately, our infection prevention group has a close working relationship with the local health department, as we could rely on our state law relative to health reporting. We also had to make sure our managers understood that any such releases had to be coordinated with our internal privacy group and the local health department.”
What is the 1135 waiver? Does it mean that HIPAA has been waived?
Answer: (Greene) “The 1135 waiver is something in the Social Security Act that allows waivers for certain requirements across different laws, including HIPAA, when there’s an emergency. And it always causes a lot of confusion.
It allows the hospitals that are in the area that have been declared an emergency 72 hours after they’ve implemented their disaster protocols to not have to comply with certain limited HIPAA requirements.
Invariably, every time it’s published, there are some people who go ‘HIPAA has been waived entirely.’ So there’s always this education, saying: ‘No, this is not a total and complete waiver of HIPAA.
While it’s helpful that it’s been invoked here, it’s not very suited for this kind of situation, because it essentially means that while this emergency has been declared it only applies to hospitals, and for those hospitals, it’s only for a 72 hour period after they’ve initiated their disaster protocol, a few HIPAA provisions are temporarily waived. This is not a 72 hour crisis that we’re dealing with. So, the most important message is: Yes, there is an 1135 waiver; and no, that does not mean that HIPAA has been waived.”
Online polls during our live panel sessions confirmed that other privacy professionals are seeing the same challenges as UK HealthCare. While more than half of organizations feel they have a sufficient understanding of the HHS guidelines, there is still room for improvement. The two biggest concerns in sharing temporary exceptions to privacy law is making sure the messaging is accurate and ensuring that employees understand how the changes apply to their jobs.
New HIPAA Compliance Challenges: Telehealth and Instant BAs
Coronavirus has forced profound changes in healthcare practices, from the rapid adoption of telehealth services to shifting definitions of healthcare business associates (BAs). HHS has announced a number of temporary “enforcement discretions” to help the healthcare community deal with these shifts.
According to one report, U.S. telehealth market is expecting 80 percent year-over-year growth in 2020 due to the COVID-19 pandemic. On March 17th, the OCR announced that it will waive potential penalties for HIPAA violations against health care providers “that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.” Adam Greene explained just what this means and what it does not mean.
What does the OCR enforcement discretion for telehealth mean for healthcare providers and others?
Answer: (Greene) “I first learned about this one morning when the President had a press conference and said HIPAA would not be enforced with regard to telehealth. I suddenly started getting emails from clients saying, ‘Wait. HIPAA has been waived?’ Luckily OCR was ready with guidance by that afternoon. This does not mean that HIPAA has been waived. It just means OCR will use its discretion in enforcing HIPAA with regard to telehealth providers.
However, remember that OCR is not the only enforcer of medical privacy: there are state Attorneys General plus the Department of Justice for criminal violations, they could also bring actions, although telehealth is probably not high on their enforcement lists. I also had questions from other groups such as health plans that offer nurse hotlines, asking whether the waivers applied to them. The answer is no; it only applies to healthcare providers.”
Richard Chapman said that, even with OCR guidance, the privacy team at UK HealthCare had to make a lot of decisions about how to deliver telehealth services while still providing good privacy in healthcare.
How did your organization handle the challenges of shifting to telehealth?
Answer: (Chapman) “It was an all-hands-on-deck effort with our IT and privacy teams. We wanted to start with good practices so that we wouldn’t have to retool bad practices later on. We concentrated on the expansion of the telehealth platform we already had. One of the immediate questions was how to deliver notice of privacy practices and get confirmation that it has been received. We worked with our IT team and looked at short-term options that would also fit with our long-term telehealth plan. We did some things with verbal consent that we might not have permitted before. With some other issues, there were no easy answers.
For example, if there are other people in the background during a telehealth session, what is our responsibility to make sure the patient is OK with that? We asked our providers to think about what they would normally do if a patient showed up in a clinic room with several people they didn’t know. How would they make sure the patient was comfortable with those people being there?”
Adam Greene also fielded a lot of questions about telehealth from tech companies, some of whom had never offered their platforms as HIPAA-compliant, but whose services were now being used for telehealth. He explained that, technically, some of these could now be considered business associates (BAs) of HIPAA covered entities. So, they could have HIPAA obligations that are not waived within the OCR notice of discretion. Companies are understandably worried about being brought under HIPAA unwillingly, or facing potential penalties down the line when the current crisis is over.
Records Roasting on an Open Fire and Other Privacy Quirks of Coronavirus
This online session covered a lot of ground, and we’ll be reporting on more healthcare privacy issues in upcoming blogs. But the overall message from Greene and Chapman was loud and clear:
Despite all the misinformation to the contrary, HIPAA is still in force!
Greene mentioned one client who “will not put out anything with HIPAA and the ‘waiver’ word in the same sentence, because they know it will be misconstrued.” And Chapman agrees that there’s a lot of confusion: “My boss and I reached a point where, if we heard one more time that HIPAA was suspended, we weren’t sure what we would do.”
Healthcare processes are evolving and mutating almost as fast as the coronavirus situation, and the focus for privacy teams is to adapt privacy practices in real time and in ways that make sense. Sometimes that will require innovation, like Chapman’s team managing privacy notices for telehealth. Sometimes, it will require reminding staff that privacy standards still apply.
For example, Chapman fielded a question about staff working from home without paper shredders.
“We had to remind people that, if they are producing paper (and we encourage them not to), then that can’t be thrown into the trash. It has to be shredded securely at home, brought to the office for shredding, or destroyed by another appropriate method.”
To which Greene responded:
“What could be more wholesome, during these difficult times, than the family gathering to make s’mores over a pile of burning, discarded PHI?”
Truly, we live in interesting times.
Topics: The Privacy Collective