COVID-19

HIPAA During COVID-19
HIPAA, Legislation

Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 Comments Off on Business Associates & Relaxed HIPAA Regulations During COVID-19

April 8, 2020 The Office for Civil Rights (OCR) has been very active this past month, going above and beyond to help mitigate the risk COVID-19 poses to public health privacy. Certain HIPAA regulations were updated in March to allow for health care practices to better work with patients in need of healthcare services as well as providing guidance on how to best disclose PHI without risk of a data breach. In their latest announcement, the Office for Civil Rights has extended the same enforcement discretion to Business Associates. When it comes to Business Associates handling PHI, there are obviously strict limitations to follow for the sake of still maintaining patient privacy. As clearly stated in the recent OCR bulletin, business associates are expected to follow the same guidance provided for health care providers when accessing or disclosing PHI during a public health emergency.  Previously, these disclosure permissions were only allowed if expressly stated within the Business Associate Agreement with the BA’s covered entity. In light of the current situation, there is a greater need to easily provide public health authorities and emergency operation centers with access to COVID-19 related PHI and this bulletin reinforces the Business Associates’ ability to share that information securely. Violations of certain provisions of the HIPAA Privacy Rule will not be imposed during this time, if and only if: While this notice provides business associates with greater flexibility than some Business Associate Agreements allow for, that doesn’t mean that BAAs no longer matter. It should be noted the relaxation of enforcement does not extend to any other requirements under HIPAA law, and business associates will still be held liable for any violations outside of this circumstance – provided of course a BAA is in place.  As a reminder, a Business Associate Agreement allows the covered entity to obtain “satisfactory assurances”  that the business associate will “appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” This definition, straight from the HHS website, encompasses the need for BA’s to agree in writing to the same standards the covered entity is held to. A BAA must be completed with any vendor or organization the practice sends or receives any piece of PHI from. Without a proper agreement in place, the liability of this security breach will fall on the healthcare provider.   Contrary to what most might think, HIPAA really is here to help encourage providing access to and sharing of PHI as long as it is done in the right ways and for the right reasons. OCR Director Roger Severino makes this abundantly clear in his statement following the updated bulletin stating, “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”  This latest bulletin is just additional proof that HIPAA compliance is of the utmost importance during the COVID-19 public health emergency. All eyes right now are on data being shared between multiple government agencies like the HHS, CDC and even the White House. With secure and efficient access to real-time data, those organizations will be enabled to make educated decisions on how to best interpret and utilize the sensitive data received and, in turn, secure the well being of the public at large. We find it extremely comforting to know that by following the OCR’s recent HIPAA guidance, providers and business associates alike can play their part in stopping the spread of COVID-19.

HIPAA and COVID-19
HIPAA

March Recap: HIPAA Was Made for This

April 2, 2020 Comments Off on March Recap: HIPAA Was Made for This

April 2, 2020 We know times are a little turbulent right now. Way of life in America looks a lot different at the end of March than it did at the beginning of the month. Most of us are now working from home, cleaning and washing our hands more than ever before and worrying about when stores will finally restock on toilet paper. And like many of us, healthcare professionals across the United States have been following the growing number of COVID-19 cases with great concern. It’s a looming reality that some have even been in contact with patients who have tested positive for the Coronavirus. However, when it comes to sharing sensitive medical information, there are many misconceptions that paint HIPAA laws in such a way that make it appear as if it is an obstacle rather than what HIPAA is intended to promote – which is the allowance of protected health information to be shared securely, efficiently and with the right people. What so many don’t understand is that HIPAA rules and regulations identify the right ways and the wrong ways of making sensitive information accessible – especially in times of crisis.  Even during a public health emergency, HIPAA still applies – in fact, HIPAA law has included specific ways where PHI can be shared in a health emergency pretty much since its inception. These regulations include an expanded ability to share PHI with those directly working on the public health threat, but still prohibit disclosures that are not secure such as those to the public at large.  A great example of this is the recent news headlines featuring the names of well-known public figures testing positive. These individuals chose to share their diagnosis and spread awareness, but if diagnoses are made public without the required patient consent – like what happened to a Detroit Pistons player whose positive test made headlines before he had a chance to tell his own mother – HIPAA laws have been violated. Media leaks are common, but sensitive health information should be handled with extreme care. HIPAA was built to mitigate public risk during a health emergency while still maintaining the privacy that all individuals deserve. Despite what you may have heard, HIPAA doesn’t make it impossible for you to know whether you’ve been in contact with an infected person – it just regulates the type of information that is shared. With misinformation and public anxiety swirling, read up on our simplified guidance on handling HIPAA during a public health emergency to learn more. The OCR has also released several bulletins serving as both updates and reminders on HIPAA regulations to best meet the current needs of patient privacy.  To make things a little easier, here’s a quick summary on recent bulletins regarding COVID-19: With the constant news stories and anxiety around COVID-19, we know it can be tough to keep up with HIPAA on top of everything else. Yet as with any health-related event, HIPAA is key to protecting patients’ privacy and preventing other threats to patient data & security. In short, HIPAA is more important now than ever.

COVID-19 Brings Increased Risk of Cyber Attacks
Cybersecurity, HIPAA

COVID-19 Brings Increased Risk of Cyber Attacks

March 19, 2020 Comments Off on COVID-19 Brings Increased Risk of Cyber Attacks

March 19, 2020 The situation around COVID-19 (Novel Coronavirus) has continued to evolve across the globe, including recent changes to HIPAA & Telehealth as well as how to share PHI during this public health emergency. Late last night, the OCR & Cybersecurity and Infrastructure Security Agency (CISA) released another bulletin regarding new concerns around maintaining the security of your data and PHI. Scammers frequently increase their attacks during a public emergency, when they know that there is an increased dependence on digital communications and heightened fear and uncertainty, and the bulletin included several recommendations to protect your practice. The CISA warned individuals of the increased cyber threats related to the Coronavirus. They recommend caution when receiving any emails with a subject line related to COVID-19 as well as anything containing an attachment or hyperlink, as these are often directed to fraudulent websites asking individuals to provide private information. To exercise proper security measures, the CISA offered specific precautions to take: Leveraging public fear during a health emergency isn’t the only tactic that is used by scammers during this Coronavirus outbreak. As most companies have decided to move to remote operations, there has been an even larger window for cyber threat actors to hack into private information as sensitive data is now accessed through unsecured networks. Good “cyber hygiene” to instill in your practice includes:   Protecting PHI from cyberattacks also means ensuring you are aware of the HIPAA regulations surrounding public health emergencies. Reminding employees of appropriate access to PHI and implementing controls such as applying additional protections for COVID-19 health records are especially important. As the news continues to focus on the Coronavirus, individuals who have access to public health records may become curious about the health of those around them. It is important to ensure that PHI is only accessed when necessary, especially on less secure wireless networks such as those used when working from home.

COVID-19 Updates to HIPAA & Telehealth
HIPAA, Legislation

Updates to HIPAA & Telehealth During COVID-19

March 18, 2020 Comments Off on Updates to HIPAA & Telehealth During COVID-19

March 18, 2020 Amidst the current national public health emergency for COVID-19 or the Novel Coronavirus, the OCR has released a bulletin regarding the increased use of telehealth services among the medical community. In addition to the bulletin, during a press conference held yesterday, the OCR acknowledged the need for healthcare providers to seek remote communications with their patients and understand that these technologies may not be fully compliant with standard HIPAA regulations. “We are empowering medical providers to serve patients wherever they are during this national public health emergency.” OCR Director Roger Severino emphasized in a statement, “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”  Under this update, any healthcare provider has the ability to use any non-public remote communication technology to provide telehealth services. This enforcement discretion applies to telehealth services needed for any reason, not strictly for the diagnosis or treatment of the COVID-19 related health conditions. During this time, the OCR will not impose violations for any noncompliance against healthcare providers under the good faith provision of telehealth during this national emergency.  This provision also allows healthcare providers to defer to their own judgment in requesting to examine a patient showing potential COVID-19 symptoms using technology such as video chat applications. This allows providers to assess a larger number of patients as well as limit the risk associated with being exposed to the virus during an in-person consultation. The telehealth services can be provided on any non-public facing communication applications without facing noncompliance penalties. Some acceptable applications include: Other similar video communication methods such as Facebook Live are considered public-facing and should not be used in the provision of telehealth. Health providers can seek additional privacy protections by providing telehealth services through technology vendors that are HIPAA compliant. They can enter into business associate agreements with these vendors in the provision of their video communication products. Some of the vendors that offer HIPAA-compliant video communication services include: While there will not be any enforcement of HIPAA noncompliance for providers choosing to utilize these methods of communication, it is important to still understand the security risks associated. The OCR recommends that providers notify patients when using these third party applications for these services as they potentially introduce privacy risks and any available encryption and privacy settings should be implemented during use. If as a provider you already have a HIPAA-compliant and secure telehealth application, it is still recommended to use the most secure application available to you.  Even during a public health crisis, HIPAA law still applies and includes specific caveats for sharing PHI in such an emergency. Read our blog article on Handling HIPAA During Public Health Emergencies for more information.  

HIPAA in Public Health Emergencies
HIPAA, Legislation

How to Handle HIPAA in Public Health Emergencies

February 6, 2020 Comments Off on How to Handle HIPAA in Public Health Emergencies

February 6, 2020 Wondering how your practice needs to handle HIPAA privacy when it comes to public health emergencies, like the recent Novel Coronavirus outbreak? Read the OCR’s tips below! As the Novel Coronavirus (2019-nCoV) outbreak continued to make news, the Office for Civil Rights (OCR) sent a recent bulletin out including additional information for how to handle PHI and how the HIPAA Privacy Rule should be applied with regard to public health emergencies such as this one. Even in public health emergencies, covered entities (as well as business associates) are still expected to adhere to HIPAA regulations and safeguard the security and privacy of their PHI consistent with HIPAA law. Here’s a few key takeaways from the OCR bulletin that your organization should remember: As a reminder, all PHI disclosures even in these circumstances should be limited to the minimum information necessary, including continuing to adhere to role-based access for internal employees. If a public health agency such as the CDC requests information, all requested information should be treated as the minimum necessary for the public health purpose.

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X