How to navigate COVID-19 HIPAA enforcement changes while safeguarding healthcare data

With rapid changes to HIPAA enforcement throughout the COVID-19 crisis, keeping up has been an ongoing challenge for healthcare providers. Understanding the aspects of HIPAA that have changed and when it is and isn’t appropriate for healthcare practitioners to disclose sensitive health data is vital, especially during the complex healthcare landscape of 2020. This blog post is designed to help healthcare privacy, security, and compliance professionals understand HIPAA 2020 changes and what can be done to safeguard PHI throughout this challenging time.

Healthcare privacy challenges

Protecting patient data is paramount for any healthcare organization – and even during the time of an emergency, healthcare privacy, security, and compliance professionals remain firm that protecting sensitive data is a top priority. For example, Imprivata FairWarning asked healthcare practitioners about their top privacy challenges concerns due to COVID-19 three weeks apart – once on March 18, 2020 and again on April 8^th. And although certain responses changed as clinicians gained more experience with treating COVID-19 patients, the top answer remained the same – Protecting the privacy of COVID-19 patients.

With HIPAA undergoing several changes in the first few months of 2020 how can healthcare organizations continue to safeguard the privacy of patient data while navigating updates to the law?

The OCR’s telehealth enforcement discretion

Throughout the pandemic, the OCR has posted guidance on telehealth, as well as Enforcement Discretion that relaxed restrictions on HIPAA violations for practitioners who use good-faith telehealth services. The OCR understands that organizations are reducing the number of patients treated in person throughout the COVID-19 crisis to protect public health, and that HIPAA telehealth enforcement had to be relaxed to adapt to public need.

Who’s impacted by these HIPAA changes and how long will they last?

HIPAA’s telehealth changes apply to all healthcare providers who use telehealth services throughout the emergency. Patients are not limited to those who tested positive for COVID-19 – the changes apply to patients receiving any type of healthcare, from primary care to mental health. Furthermore, HIPAA’s recent changes to telehealth provisions will remain in effect until further notice.

What does “good faith” mean for providing telehealth?

What does the HHS consider to be “good faith?” For healthcare practitioners who care for patients using telehealth, privacy and security controls must be enabled to the best of their abilities. Good faith also applies to technology used to provide telehealth – providers may use technology that allows them to privately connect to patients on a one-on-one basis; for example, using a landline phone or a video chat app. However, good faith does not apply to any public-facing applications such as Facebook or TikTok. The definition requires that all technology used for telehealth be secured as much as possible, and that patients are made aware of privacy risks ahead of time when using telehealth technology. Previously, tech companies that allowed clinicians to administer telehealth services had to sign a business associate agreement (BAA), but with COVID-19-related changes to HIPAA, providers may now utilize technology from companies that have not signed a BAA. In spite of HIPAA’s efforts to relax enforcement for telehealth, the OCR nonetheless recommends for all technology used to continue to follow the HIPAA Security Rule to safeguard patient data. Additionally, implementing proactive measures like leveraging a patient privacy monitoring platform can help healthcare organizations to identify and mitigate bad behaviors.

“Covered entities must continue to implement safeguards to protect information.” – Marissa Gordon-Nguyen, Senior Advisor, HIPAA Policy at the Office for Civil Rights (OCR)

What is “bad faith” in telehealth?

And what constitutes “bad faith” behavior in telehealth? According to a recent webinar by the College of Healthcare Information Management Executives (CHiME), bad faith use of telehealth includes:

• Using public-facing applications such as Facebook or TikTok to provide telehealth

• Criminal acts such as identity theft, fraud, and invasion of privacy

• Sale of or marketing with PHI

• Violations of state and local ethics laws

When is it permissible to disclose PHI during a health crisis?

Because the COVID-19 is a public health crisis, questions have been raised as to when it’s acceptable to disclose PHI without patient authorization. As a response, the Office of Civil Rights (OCR) has released three permissible bases for disclosing COVID-19 patient information:

• When the disclosure is needed to provide treatment. This allows for disclosure to family members who are responsible for the patient’s care and for a covered nursing facility to disclose patient information to emergency medical personnel
• When notification is required by law. HIPAA permits a covered entity to disclose the health information of a COVID-19 positive patient when a local or state law requires the reporting of those individuals.
• To notify a public health authority or first responder in order to prevent or control spread of disease.

Limited waiver of HIPAA sanctions and penalties

On March 13^th, 2020, the HHS announced a waiver to the HIPAA Privacy Rule under section 1135 of the Social Security Act, which affects specific portions of the HIPAA Privacy Rule and doesn’t impact the Security Rule. It’s also important to note that the waiver applies exclusively to hospitals within a geographic area where disaster protocols are in effect. Effective as of March 15^th, the waiver applies to the following conditions:

• Practitioners are not required to obtain patient agreement to speak with a patient’s family and friends for treatment-related purposes
• Health centers will not be required to distribute a notice of privacy practices
• A patient will not be permitted to request privacy restrictions or confidential communications

The waiver remains in effect for up to 72 hours after the hospital has implemented a disaster protocol.

Additional OCR notifications

In addition, on April 2^nd, the OCR announced a Notification of Enforcement Discretion involving testing sites throughout the COVID-19 emergency. Desgned to support covered care providers, including certain pharmacy chains and their business associates that choose to participate in a Community Based-Testing Site (CBTS), the OCR will not enforce penalties for HIPAA violations for good-faith participation of CBTS.

And on April 9^th, the OCR released another Notification of Enforcement Discretion that enables healthcare business associates to disclose PHI for public health and oversight activities in good faith throughout the COVID-19 crisis. This notification was issued to support public health authorities on the Federal level, including the Centers for Disease Control and Prevention (CDC), Centers for Medicare and Medicaid Services (CMS), state and local health departments, and first-responders who require COVID-19 health information.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said Roger Severino, Director of the OCR. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

It can be understandably difficult to stay ahead of the curve as key regulations change throughout an emergency. But with HIPAA’s updates to telehealth enforcement and Enforcement Discretions, it’s clear that the privacy and security of patient data remains clearly in-focus, even as aspects of the law relax in order to allow medical practitioners and first responders to effectively communicate and provide treatment for patients throughout the COVID-19 crisis.