HIPAA

State Laws vs HIPAA
HIPAA, Legislation

State Laws vs HIPAA – What You Need to Know

June 8, 2020 Comments Off on State Laws vs HIPAA – What You Need to Know

June 8, 2020 When it comes to regulations surrounding the privacy and security of health information, federal HIPAA laws are typically the golden rules to follow. But did you know that many states have their own laws surrounding patient rights, data privacy, and medical records which sometimes overrule the federal guidelines? These state laws either predate the enactment of HIPAA or were passed to create stricter safeguards and typically focused on technology use. We understand HIPAA laws are confusing, and ensuring that you’re following the rules only becomes a little harder when it’s not crystal clear which rules are the ‘right’ ones.  It’s important to note that when HIPAA laws and state laws go head to head, HIPAA typically comes out on top. But like most things, there are some exceptions to the rule where the state law takes precedence. These specific instances include:  In HHS’ own words, “HIPAA provides a Federal floor of privacy protections for individuals’ individually identifiable health information,” basically meaning that any laws that are viewed to be ‘weaker’ than HIPAA regulations will be overruled. State laws will also be overruled if they contradict a HIPAA law. It’s not always easy to determine which laws are stricter and there are many areas of overlap between HIPAA regulations and state-specific laws. To try and give some clarity, here are some topics that commonly conflict each other:  Source: healthinfolaw.org As data privacy has become an increasing topic of concern, individual state’s as well as the federal government have been enacting stricter policies on matters that concern the security and privacy of electronic health information. More recently, events such as the COVID-19 public health emergency have been a catalyst for updating regulations to best meet the changing needs of the public. And as HIPAA laws, as well as state laws, have been under constant update, it’s harder for practices to keep up. We know that HIPAA alone is confusing, especially when you add in state-specific rules and regulations, which is why Abyde dynamically generates policies and procedures specific to your practice and the state you’re located in if applicable. With Abyde you don’t have to worry about reading through pages of laws, determining whether there are any contradictions, and figuring out which law preempts the other – we’re here as your HIPAA experts to help do so for you! While we know HIPAA like the back and maybe even front of our hand, there may be laws outside of HIPAA that impact your practice and overall operations – this blog article shouldn’t be considered legal advice, and we always recommend consulting with a legal team regarding your practice’s legal needs!

What is a HIPAA Security Risk Analysis
Best Practices, HIPAA

So, What Exactly is a Security Risk Analysis?

June 2, 2020 Comments Off on So, What Exactly is a Security Risk Analysis?

June 2, 2020 You might be aware that all practices need to complete a ‘Security Risk Analysis’ as a part of their HIPAA compliance program, but do you know exactly what this analysis covers? While this is the first step and among the most important aspects of a complete HIPAA program, it is often missed or not properly completed – in fact, during the latest round of OCR audits, 86% of covered entities could not show a properly documented Security Risk Analysis for their practice.  The HIPAA Security Rule defines a Security Risk Analysis (SRA) as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronically protected health information held by the covered entity or business associate.” In layman’s terms, the risk analysis is a systematic review of your processes and policies that is ultimately designed to shed light on any aspects of your practice that could be considered weaknesses in protecting the privacy and security of your practice and the protected health information (PHI) it holds. Not having a properly documented analysis leaves potential risks unidentified and is a huge red flag for your overall compliance efforts. What questions does an SRA need to include? There is no specific checklist to follow when it comes to performing a risk analysis for your practice. The OCR does however provide specific elements that should be included. Your assessment should:  Completing a risk analysis for your organization is not just a one-time thing. Assessments should be reviewed periodically, especially as new work processes are implemented or technologies are updated. After events such as COVID-19, addressing any changes your practice made regarding remote operations, utilizing telehealth services, or receiving/providing more information electronically rather than in a physical exchange are all things that will need to be addressed for any additional vulnerabilities or threats they brought on.  What’s the best way to tackle an SRA? If your organization hasn’t completed an SRA before or has done so in a more basic or incomplete manner, using an outside organization will help to ensure all areas of the SRA are fully completed and documented accordingly. A third party can also help add new areas and questions to the SRA that reflect changing regulations as well as technology enhancements that present new threats or vulnerabilities to your organization.

It’s Time to Trash Your HIPAA Binder
Best Practices, HIPAA

It’s Time to Trash Your HIPAA Binder

May 27, 2020 Comments Off on It’s Time to Trash Your HIPAA Binder

May 27, 2020 You can shred it, burn it, use it as a paperweight – we don’t really have a preference – but by all means, it’s time to move on from your out-dated physical HIPAA manual. When trying to comply with HIPAA regulations, it may seem counterintuitive to roast smores using documented privacy policies and procedures, but now is the perfect time to grab your massive HIPAA binder that hasn’t been touched in years and toss it out with yesterday’s newspaper. Technology has paved the way for increased efficiency within medical practices. The days of thumbing through filing cabinets have been relieved by databases providing instant access to everything your practice may need. This transformation provides countless benefits for both practices and patients, just as modernization has benefitted HIPAA regulations.  The medical industry, among others, continues to move towards more ‘paperless’ operations – including that bulky, cumbersome HIPAA manual most often left collecting dust in a closet within your practice. Despite these advances, many practices are still relying on a physical binder or other paper-based resource to keep track of their HIPAA compliance policies and procedures. In fact, many may still think that a paper manual is the only way to meet HIPAA requirements. While this would be a valid source of documentation should your practice ever experience a data breach or audit, HIPAA regulations don’t specify the need for a physical or paper copy of your documentation. In fact, there are many benefits to taking your stack of unused papers into the electronic realm. An electronic binder (especially one through a cloud-based software provider) offers a number of benefits, including: There is a lot that comes with maintaining HIPAA compliance – and the biggest hurdle many practices face is having the proper documentation of this culture of compliance. If your practice has put in the hard work to complete your risk analysis, documenting that work properly and in an accessible format is essential. In fact, 83% of practices that were audited by the OCR in 2019 did not have a properly documented security risk analysis. This is in part due to outdated paper policies that don’t fit the practice’s current structure or procedures. An electronic and continually updated HIPAA ‘binder’, in contrast, fulfills all HIPAA regulations and requirements around documentation. COVID-19 has had a large impact on HIPAA enforcement and regulations, and many practices have begun utilizing telehealth services as well as implemented new policies and procedures surrounding cybersecurity during newly remote operations. All of these changes and updates to your practice’s work with PHI, even if it’s just temporary, must be documented properly within your HIPAA manual. Having an electronic version of your manual means going in and updating with a few clicks of a button – saving your practice time (and paper) during an already turbulent time.  If your practice has always had a paper HIPAA binder, moving to an electronic manual that offers all of the above features may be easier said than done. That’s where a HIPAA compliance software solution, like Abyde, comes in to ensure your HIPAA program is up-to-date with any new changes regarding HIPAA or state-specific laws with dynamically generated policies and procedures built specifically for your practice – providing you much more than just an updated version of your HIPAA manual. If your practice has been stuck on paper, let us show you how going electronic can save you hours of HIPAA headaches.

Returning to Office Remote Healthcare Workers
HIPAA

We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Comments Off on We Know You Want to Get Back to the Office – Here’s How

May 14, 2020 Is working in your living room with your pets/kids/significant other driving you crazy yet? Us too – but here’s why a measured approach is important to returning back to the office 2020 has been anything but predictable and it’s hard to speculate exactly how life after COVID-19 is going to be – or how soon we’ll get to the point we can call ‘after’. Some healthcare practices along with other businesses have started reopening their doors but with how much has changed over the course of the past few months, it’s easy to find yourself wondering which way is up when it comes to easing back into life outside of the bubble we’ve been living in.  As many organizations transition back from working at the kitchen table in pajamas, the question of “is it safe to bring employees back into the office” is not taken lightly. Practicing social distancing, wearing protective face masks, and self-isolating, if you have any potential symptoms, are all preventative measures that we should anticipate continuing for the foreseeable future. If your practice is considering bringing employees back into an office environment to continue offering medical services, here’s are a few things to consider: 1. Limit Employee Risk in Returning to Work Healthcare personnel, whether they have been on the front lines during the pandemic or not, have been and will continue to be at risk for contracting or spreading the virus. The CDC issued several strategies on how healthcare providers can determine whether their staff members can safely return to work or not based on monitoring for symptoms over the recommended course of time along with COVID-19 tests.  Some businesses have discussed screening employees for the virus prior to returning to work to ultimately ensure a safer work environment, yet this concept must still take into consideration HIPAA privacy laws regarding testing results being released to businesses. In fact, the HIPAA Privacy Rule does allow for healthcare providers to disclose patient information to employers only if the patient gives written consent authorizing the release or if the testing falls under HIPAA’s workplace medical surveillance exception. If the employer pays for the testing they are eligible to receive information regarding when the testing occurred but, importantly, not the results of the test. Whether you decide to engage in testing or not, make sure that any PHI generated as a result of testing still follows HIPAA guidelines for privacy and security. 2. Prepare for Limited Waivers to Expire HIPAA has been a headlining topic throughout the pandemic as the CDC has been constantly updating regulations and enforcement discretions to best mitigate health risks to the public. Good faith provisions for disclosing PHI as well as limited waivers for telehealth usage were among the top changes to HIPAA, but as highly emphasized in each waiver, these discretions only remain in place for the duration of the public health emergency. It’s important for healthcare providers to continue to keep HIPAA compliance a priority especially as waivers begin to lift and to be fully prepared to return to normal enforcement. If your practice has been using telehealth to continue seeing patients, for example, and you might continue to use telehealth even after a return to ‘normal’ operations, it’s essential that you utilize a vendor who offers HIPAA compliant video communication services to do so, and that you get a proper Business Associate Agreement signed with your vendor.  3. Ensure Remote Data Collection is HIPAA-Compliant You are probably already aware that PHI cannot be sent simply in an email. As many practices have sought new ways to manage remote operations and limit physical interaction, the same encryption and security standards must be applied as your practice would use to send PHI even before COVID-19.  If your practice is considering collecting more patient information or insurance information electronically instead of a physical form or insurance card, make sure you are utilizing a secure system like a patient portal or encrypted email server to transfer any sensitive data.  4. Consider Reviewing Passwords and Security Processes Over the course of the pandemic, cyber-attacks have been a looming threat, especially to healthcare practices. While working from home played a large role in enabling hackers to access protected information through less-secure networks, it’s important to not lose sight of these concerns even when you go back to your office. Continuing to look out for common scams and knowing how to identify and respond to a potential threat will always be important to ensuring the security of your practice. Consider changing passwords or login information after returning to the office that may have been compromised during remote work, and update your security software to the best possible protection. Review the devices used for remote work to determine if any further action is needed to ensure proper security if still working in part remotely.    With everything that 2020 has thrown our way – being confident and prepared in your ability to get your practice back up and running in a safe and HIPAA compliant manner will make all of the difference in the transition – and help make the rest of the year a little less stressful than the start.

Who Qualifies as a Business Associate?
Business Associates, HIPAA

Who Qualifies as a Business Associate?

May 8, 2020 Comments Off on Who Qualifies as a Business Associate?

May 8, 2020 As a business owner, you know there are a lot of elements that go into running a successful healthcare practice. It’s common to have third-party companies assist with everything from accounting, to document disposal, to managing remote operations through cloud sharing and telehealth services. These vendors may be a big part of keeping your practice running smoothly. While you may already do a fantastic job of checking your contracts with these vendors – your terms of service, payments, etc. – where many practices fall short is in reviewing your vendor’s obligations to protect your sensitive patient information. As a healthcare provider, your practice functions as a covered entity, and any vendor that comes into contact with PHI in the process of working with your practice becomes a Business Associate (BA). Not all companies that your practice hires come into contact with PHI, so how do you know who exactly qualifies as a Business Associate? The HHS defines a Business Associate as any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Some examples of Business Associates include: Once you determine who is considered a Business Associate to your practice, you must then institute formal agreements to ensure your practice and your third-party vendors are properly protecting the security of your patient information. This agreement highlights the specific elements of HIPAA compliance that should be followed by both you and each of your Business Associates, including: Even if a vendor comes into contact with your PHI only once, it’s better to play it safe and have the proper agreements in place – just that one instance could be the catalyst for a breach of PHI.  Not having the proper Business Associate agreements in place has been the cause of hundreds of HIPAA violations. One case, in particular, cost a medical practice in Utah a $100,000 settlement on top of a two-year corrective action plan. The practice filed a complaint against their EHR company who allegedly had been blocking access to patients’ ePHI. Although it might seem like the practice was a victim in this situation, the OCR found that there was no Business Associate Agreement in place – leaving the liability solely on the practice’s shoulders.  Data breaches, cyber-attacks, and improper handling of PHI can happen to your practice at any time as well as the companies you work with – especially when operating remotely or bringing on new vendors to help manage operations. Ensuring that you have the proper agreements in place is vital in not only protecting your patient data but offsetting the liability of your practice in the case of a breach. A software solution like Abyde makes this process a whole lot easier with a Business Associate Portal that automatically generates formal agreements with all the proper policies and procedures in place – taking the stress of HIPAA compliance off you and your vendors.

Patient Privacy During COVID-19
HIPAA

When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 Comments Off on When it Comes to Sensitive Patient Information, Sharing is Not Caring

April 30, 2020 If you’re like most practices, you probably haven’t had the media knocking down your doors asking about sensitive patient information. But with the current public health emergency splashing patient stories across the web, healthcare organizations beware! Media outlets are on the hunt for positive cases of COVID-19 and it’s important to know the rules surrounding sharing protected health information (PHI) with the media if your practice gets caught up in the COVID-19 media wave. In general, COVID-19 or not, HIPAA law prohibits healthcare providers from disclosing a patient’s PHI to the media unless either the patient or their personal representative authorizes the disclosure or the disclosure fits within a specific HIPAA exception. We all know how the public reacts when something makes headlines (recent toilet paper shortages, for example) which is why it is so important to protect your patients’ privacy – especially when it comes to the media.  Some basic rules of thumb to know when facing a situation that might involve the media and patient information are:  In any situation where disclosure of PHI is involved – the media included – the provider must ensure that all the reasonable safeguards are in place to protect against any impermissible or incidental disclosures of patient information. In the event PHI is shared it must be kept to the minimal information necessary to abide by HIPAA law and protect the privacy of patients. In one recent case, an allergy practice found themselves in a HIPAA violation settlement after a patient of the practice contacted a local TV station regarding an incident at the practice, and when contacted to comment the practice impermissibly disclosed the patient’s PHI. This discussion with the media cost the practice a $125,000 settlement on top of a two-year corrective action plan. Some words of advice? If ever faced with a situation involving the media, don’t be blinded by the spotlight. Avoid publicly reporting any patient PHI or disclosing information upon media request. Simply responding with “no comment”, or having staff reply that they are not authorized representatives and cannot speak on the practice’s behalf could save your practice the hassle of dealing with major HIPAA violations and shelling out a big chunk of change.  A public health emergency, such as the current COVID-19 pandemic, brings some additional confusion in regard to sharing information to the public in order to mitigate further health risks. This uncertainty has often led to impermissible media disclosures, such as a Detroit Pistons player’s COVID-19 diagnosis which recently made headlines before he even had a chance to tell his own mother. Certain disclosures may be made to authorized organizations, but when it comes to sharing PHI to the media at large, it’s important to know what’s off-limits to best protect your patients’ privacy.

Common HIPAA Mistakes
HIPAA

Are you breaking HIPAA appropriate access laws, and don’t even know it?

April 22, 2020 Comments Off on Are you breaking HIPAA appropriate access laws, and don’t even know it?

April 22, 2020   Giving out protected health information (PHI) to everyone and anyone who inquires? Sure, we know most medical practices are wise enough to understand this would be a severe violation of HIPAA compliance laws. Most healthcare organizations may also know the importance of antivirus for computers, securing offsite data backups and other best practices for HIPAA but one area often overlooked is controlling the staff’s appropriate access to PHI and ePHI.  Knowing the ins-and-outs of what is considered ‘appropriate access’ to patient data – i.e., giving only access that is necessary for staff to complete job functions and not carte blanche access to your data – can be confusing. COVID-19 has made several HIPAA regulations even more complex with thousands of healthcare workers across the nation finding themselves transitioning to remote operations with reduced hours or even facing layoffs or furloughs. These operational changes have caused some additional confusion as to when a practice must change or limit employee access to PHI. Adding to the complexity is attempting to ensure all staff are following appropriate guidelines when remotely accessing ePHI. Due to knowledge and time constraints for most independent medical practices, this can be so daunting that it is largely ignored. Access to patient records by staff must be limited to authorized business purposes only, regardless of the setting. Essentially, the only time an employee should view PHI is when it is necessary to effectively perform their job duties or with written permission from a patient. Some of these purposes include: Accessing patient records for reasons other than those necessary to complete job responsibilities is not permitted (ever, COVID-19 or not) and is otherwise considered a violation of patient privacy. It is a requirement under HIPAA to maintain access logs for this very reason – to identify any inappropriate access to PHI. Appropriate access isn’t just a best practice, but a key part of the Privacy Rule under HIPAA and grounds for HIPAA fines if noncompliance is discovered. Recently, more than 50 employees at a hospital in Chicago were fired immediately after it was discovered that they inappropriately accessed and viewed the medical records of an actor who had been treated at the facility. Nearly 80% of healthcare executives say that employee security awareness is amongst their greatest concern – making it even more essential that staff members are properly trained on appropriate access policies.  If you’re currently working from your kitchen table in your pajamas (no judgment, us too) you may not be aware of the additional threat you now pose to the security of patient data. Remote work environments, while critical in today’s climate, introduce less secure home networks and fewer safeguards than you might find in your office. It becomes even more essential to mitigate new threats by ensuring your staff knows not only appropriate ways to access data but are only accessing the minimal amount of data necessary to complete their job responsibilities. You can read our recent article for additional tips on how to safeguard data while working remotely here.   Unfortunately, in the current economic climate, many healthcare organizations are resorting to furloughing staff. This can add unprecedented challenges for practices trying to control appropriate access to protected health information. Even if an employee will be returning to your practice, there should still be a process in place to limit their access to PHI while furloughed. Removing access can be done by revoking the employee’s login credentials to the practice’s EHR system, recollecting any key or keycard they were given, or other security measures deemed necessary to limit their exposure to sensitive patient data. It’s important to keep in mind that any access removed can be restored when furloughed employees are brought back, but limiting access temporarily will help prevent unauthorized disclosures. Other helpful tips to keep in mind with appropriate access are: Ensuring PHI is accessed only when necessary is essential to protect medical practices and patients. Just as a practice doesn’t share financial information with all staff, sensitive patient data should have similar appropriate restrictions. During this difficult time, it is all the more important to have proper access policies in place and guidelines to guarantee the safety and security of patient data. Whether at home accessing PHI in your PJ’s, or looking to the future when we’re all back in our offices once again, appropriate access is key to essential data privacy.

Prioritize Your Practice’s Disaster Recovery Plan
Best Practices, HIPAA

Prioritize Your Practice’s Disaster Recovery Plan

April 16, 2020 Comments Off on Prioritize Your Practice’s Disaster Recovery Plan

April 16, 2020 Having a documented disaster recovery plan is incredibly important for healthcare practices to implement in preparation for a data breach, cyber-attack, or a public health emergency like COVID-19. A disaster can be defined as any event that compromises an organization’s operations, data, and network – and due to the current increase in cyber attacks during COVID-19, ensuring your practice is well-prepared for any disaster with a proper contingency plan is all the more important.  You know what they say: always plan for the worst, and hope for the best. We’d like to hope your practice never has to put your disaster recovery plan into action, but it’s better to be safe than sorry especially since it’s required by HIPAA law. The HIPAA security rule states that all healthcare practices must have a contingency plan in place to define the responsibilities of all staff members and overall practice procedures to restore IT systems that contain PHI in case of any disruptive event. The requirements within a disaster recovery plan can seem a little daunting, which is part of the reason why it’s essential to have your procedures in place before a disaster happens. Now let’s break down what exactly you need for your contingency plan:  When it comes to your practice’s disaster recovery plan, having everything properly documented and planned ahead of time will make all the difference in your ability to restore data and respond to an emergency correctly.  If your practice hasn’t created the right disaster recovery plan prior to a threat or event occurring, it’s always a good idea to immediately document and identify how your practice will respond as quickly as possible. Even if you already had a documented disaster recovery plan, when an event does occur it is a great opportunity to revisit your existing plan and adjust any needed areas to be as accurate as possible. Felling a bit overwhelmed? We have some good news for you. Abyde’s comprehensive solution will take the guesswork out of knowing if your practice is prepared. From documenting your risk assessment to generating policies and procedures specific to your practice, to a support team ready to assist you in the event of a disaster, if using Abyde, implementing your practice’s recovery plan won’t be stressful or time-consuming!

HIPAA for Business Associates Checklist
Best Practices, Cybersecurity, HIPAA

Technical Safeguards for Cybersecurity

April 10, 2020 Comments Off on Technical Safeguards for Cybersecurity

April 10, 2020 HIPAA has been around for quite a while – since 1996, in fact – and part of HIPAA law has always included required safeguards to secure all aspects of a medical practice’s protected information. With the rapid adoption of technology within the healthcare industry, technical safeguards included in HIPAA law are some of the most important for practices of all sizes to implement. Technology has enabled businesses in the healthcare industry to move operations offsite. In light of the current public health emergency, allowing for access to all essential data without having to step foot into the office is vital to ensuring practices are ready to see patients after the social distancing rules are relaxed. While these advancements simplify and enhance your business operations, they have made a hacker’s job that much easier as well. Technical safeguards are the documented strategies and solutions that practices implement to secure electronic protected health information and control access to it. These include:  When it comes to the question of which data actually needs to be safeguarded, the answer is pretty much all of it. Any data that is accessed by, sent to or received from other practices or authorized vendors need to be protected as well as any data that has traceable identification that can be linked to a patient. This sensitive data must be encrypted prior to sending or receiving. Encrypting data may seem like a daunting task, but at a basic level, it just means making PHI unreadable to anyone other than the intended parties. Recent Cyber Threats Tied to COVID-19 While ensuring your practice is prepared for a cyber attack is always important, cyber threats have been headlining the news a lot lately along with the current COVID-19 health emergency. Hackers are taking advantage of this time of increased public vulnerability as well as increased use of technology from unsecured networks while many people are working from home. Read up on common tactics utilized in these threats in our recent article. Over the past few weeks, including just yesterday, multiple government agencies have issued warnings regarding recent threats to cybersecurity. These attacks range from individuals posing as government officials seeking access to PHI to other various phishing and malware distribution schemes utilizing the current concern and fear around COVID-19 as hackers ticket into your sensitive data.  Further guidance can be found in the public service announcement released by the FBI and yesterday’s bulletin from the CISA. Hackers aren’t just attempting to play the roles of OCR investigators, or focusing on sending you phishing emails – now your video-teleconferences are at risk too. Video chat apps have become increasingly popular whether it’s for telehealth appointments, office meetings, , or even just virtual happy hours with friends – it’s the best way to stay connected during this time of social distancing. Unfortunately, this added reliance on technology is just another way for scammers to attack. The FBI released additional guidance on defending against Video-teleconferencing (VTC) hijacking and “Zoom-bombing” which refers to attacks directly on the increasingly popular Zoom platform. Some noteworthy tips from this guidance include making sure your virtual meetings are private by requiring a password to gain access. Keeping these meetings private means keeping them off social media or other public-facing platforms so only provide meeting links directly to the individuals you want to be included. These attacks on video chatting software are especially important for medical practices to be aware of as just a few weeks ago the OCR updated their telehealth service regulations allowing doctors to use various communication apps to diagnose and treat patients while maintaining a safe distance.  Practicing Good Cyber Hygiene When it comes to cybersecurity, it’s important to know what to look out for, how to report any potential threats, and most importantly how to keep your practice and your patient data safe. Just yesterday, CISA, the United States Department of Homeland Security (DHS), and the United Kingdom National Cyber Security Centre (NCSC) issued a joint release featuring additional guidance on how to spot potential threats. Important tips for safeguarding your practice’s security during this time of increased risk include: There’s a lot of good ‘cyber hygiene’ out there, but here are a few top tips to keep your practice operations clean: If you have questions about technical safeguard requirements, Abyde has a team of HIPAA compliance experts ready and willing to help navigate your practice through these recent changes. If your practice is interested in learning more, sign up for one of our complimentary HIPAA compliance webinars where we’ll discuss HIPAA & COVID-19 from the comfort of your current remote work location.  

HIPAA During COVID-19
HIPAA, Legislation

Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 Comments Off on Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 The Office for Civil Rights (OCR) has been very active this past month, going above and beyond to help mitigate the risk COVID-19 poses to public health privacy. Certain HIPAA regulations were updated in March to allow for health care practices to better work with patients in need of healthcare services as well as providing guidance on how to best disclose PHI without risk of a data breach. In their latest announcement, the Office for Civil Rights has extended the same enforcement discretion to Business Associates. When it comes to Business Associates handling PHI, there are obviously strict limitations to follow for the sake of still maintaining patient privacy. As clearly stated in the recent OCR bulletin, business associates are expected to follow the same guidance provided for health care providers when accessing or disclosing PHI during a public health emergency.  Previously, these disclosure permissions were only allowed if expressly stated within the Business Associate Agreement with the BA’s covered entity. In light of the current situation, there is a greater need to easily provide public health authorities and emergency operation centers with access to COVID-19 related PHI and this bulletin reinforces the Business Associates’ ability to share that information securely. Violations of certain provisions of the HIPAA Privacy Rule will not be imposed during this time, if and only if: While this notice provides business associates with greater flexibility than some Business Associate Agreements allow for, that doesn’t mean that BAAs no longer matter. It should be noted the relaxation of enforcement does not extend to any other requirements under HIPAA law, and business associates will still be held liable for any violations outside of this circumstance – provided of course a BAA is in place.  As a reminder, a Business Associate Agreement allows the covered entity to obtain “satisfactory assurances”  that the business associate will “appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” This definition, straight from the HHS website, encompasses the need for BA’s to agree in writing to the same standards the covered entity is held to. A BAA must be completed with any vendor or organization the practice sends or receives any piece of PHI from. Without a proper agreement in place, the liability of this security breach will fall on the healthcare provider.   Contrary to what most might think, HIPAA really is here to help encourage providing access to and sharing of PHI as long as it is done in the right ways and for the right reasons. OCR Director Roger Severino makes this abundantly clear in his statement following the updated bulletin stating, “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”  This latest bulletin is just additional proof that HIPAA compliance is of the utmost importance during the COVID-19 public health emergency. All eyes right now are on data being shared between multiple government agencies like the HHS, CDC and even the White House. With secure and efficient access to real-time data, those organizations will be enabled to make educated decisions on how to best interpret and utilize the sensitive data received and, in turn, secure the well being of the public at large. We find it extremely comforting to know that by following the OCR’s recent HIPAA guidance, providers and business associates alike can play their part in stopping the spread of COVID-19.