We know times are a little turbulent right now. Way of life in America looks a lot different at the end of March than it did at the beginning of the month. Most of us are now working from home, cleaning and washing our hands more than ever before and worrying about when stores will finally restock on toilet paper. And like many of us, healthcare professionals across the United States have been following the growing number of COVID-19 cases with great concern. It’s a looming reality that some have even been in contact with patients who have tested positive for the Coronavirus. However, when it comes to sharing sensitive medical information, there are many misconceptions that paint HIPAA laws in such a way that make it appear as if it is an obstacle rather than what HIPAA is intended to promote – which is the allowance of protected health information to be shared securely, efficiently and with the right people. What so many don’t understand is that HIPAA rules and regulations identify the right ways and the wrong ways of making sensitive information accessible – especially in times of crisis. 

Even during a public health emergency, HIPAA still applies – in fact, HIPAA law has included specific ways where PHI can be shared in a health emergency pretty much since its inception. These regulations include an expanded ability to share PHI with those directly working on the public health threat, but still prohibit disclosures that are not secure such as those to the public at large. 

A great example of this is the recent news headlines featuring the names of well-known public figures testing positive. These individuals chose to share their diagnosis and spread awareness, but if diagnoses are made public without the required patient consent – like what happened to a Detroit Pistons player whose positive test made headlines before he had a chance to tell his own mother – HIPAA laws have been violated. Media leaks are common, but sensitive health information should be handled with extreme care.

HIPAA was built to mitigate public risk during a health emergency while still maintaining the privacy that all individuals deserve. Despite what you may have heard, HIPAA doesn’t make it impossible for you to know whether you’ve been in contact with an infected person – it just regulates the type of information that is shared. With misinformation and public anxiety swirling, read up on our simplified guidance on handling HIPAA during a public health emergency to learn more. The OCR has also released several bulletins serving as both updates and reminders on HIPAA regulations to best meet the current needs of patient privacy. 

To make things a little easier, here’s a quick summary on recent bulletins regarding COVID-19:

• March 28 Bulletin: In their most recent bulletin, the OCR reminded providers that at all times including during the current outbreak it is unlawful to discriminate when making decisions about patient treatment. The bulletin included a statement by OCR Director Roger Severino:  “HHS is committed to leaving no one behind during an emergency, and helping health care providers meet that goal.” 

• March 17 & 20 Bulletins: Skype is for more than just keeping in touch with friends and hosting virtual happy hours! To encourage the use of telehealth services to best protect patients and practices from the risk of contracting or spreading COVID-19, the OCR released a Notice of Enforcement Discretion which allows limited non-HIPAA compliant applications to be used for telehealth services only during the current crisis. A second bulletin offered additional information on FAQs relating to the enforcement discretion. Read more in our article discussing these changes to HIPAA and Telehealth Services. 
• March 18 Bulletin: Unfortunately, COVID-19 isn’t the only virus to be worried about these days. In response to recent cyberattacks related to the current public health emergency, the OCR and CISA issued a statement urging not only health care practices but all businesses to exercise increased precaution around websites or links related to COVID-19. Read more in our article about how public health emergencies bring an increased risk of cyber attacks.

With the constant news stories and anxiety around COVID-19, we know it can be tough to keep up with HIPAA on top of everything else. Yet as with any health-related event, HIPAA is key to protecting patients’ privacy and preventing other threats to patient data & security. In short, HIPAA is more important now than ever.