The Department of Health and Human Services Office for Civil Rights (OCR) has issued waivers and notices of enforcement discretion for several issues related to Health Insurance Portability and Accountability Act (HIPAA) compliance, but healthcare organizations still must be careful to comply with the privacy law even during the pandemic.
As the COVID-19 impact begins to wane and healthcare operations return to normal, it will be important to reframe HIPAA expectations, experts say. Remember that even with waivers and relaxed requirements, OCR still expects HIPAA compliance, says Lucie F. Huger, JD, an officer with Greensfelder in St. Louis.
“OCR is taking this pandemic very seriously and trying to be helpful in providing guidance and clarification on enforcement. But make no mistake — HIPAA is still here,” Huger says. “Compliance is still very important. Even though we have a pandemic, HIPAA still should be a significant concern.”
Covered entities must tread carefully, says Mark R. Ustin, JD, partner with Farrell Fritz in Albany, NY. OCR has emphasized the concepts of “minimum necessary” and “good faith,” he says.
“We have fewer rules than we used to have in this period. But you still want to ensure that you’re breaking the usual rules only to the extent that you need to break them so you can provide good patient care, and no further. That’s the minimum necessary concept,” he says. “OCR is also saying it won’t enforce where there’s a good faith breach, but they’re still reserving the ability to enforce where there has been some bad faith. This is not the opportunity for you to gather up someone’s healthcare data and sell it to someone.”
Some waivers did not apply to all hospitals and do not last for the duration of the pandemic response, says Melissa A. Borrelli, JD, LLM, CHC, CHPC, director of healthcare consulting with Mazars USA, a consulting firm in Sacramento, CA.
“OCR’s COVID-19 blanket 1135 waiver issued on March 13 was in fact very surgical. It only applied to hospitals for 72 hours after the hospital implemented its disaster protocols, and it did not waive all HIPAA requirements,” Borrelli explains.
Instead, the 1135 waiver concerns requirements to secure a patient’s agreement to speak with friends or family involved in his or her care. The waiver also allows the patient to request confidential communication and privacy restrictions, to opt out of the facility directory, and receive a notice of privacy practices.
More broadly, OCR eased its stance on communications technology, specifically in telehealth, Borrelli notes. This guidance allows flexibility in the tools providers use to communicate with their patients, permitting providers to use technology that does not currently comply with the HIPAA Security Rule but are not “public facing.” For instance, FaceTime and Skype are allowed.
“Also, OCR provided business associates the freedom to share certain data for public health purposes only,” Borrelli says. “That is, a business associate may previously, by contract, not have been allowed to disclose data to the CDC [Centers for Disease Control and Prevention], but under this guidance, they can.”
Laura Peth, CHC, CFE, principal in healthcare consulting with Mazars USA, recommends two major focus areas to help covered entities be sure they are complying with HIPAA in extraordinary times. First, she says, stay the course as much as possible. Maintain and follow the organization’s existing privacy structure, policies, and procedures to maintain compliance with HIPAA, and only deviate from those standards when absolutely necessary.
Before operating outside normal privacy-related procedures, ensure the existing blanket waiver and enforcement discretion is applicable to the organization by reviewing source materials and guidance from the Centers for Medicare & Medicaid Services, OCR, and state regulators, Peth advises.
“When it is absolutely necessary to operate within the new limits of the waiver and/or enforcement discretion environment, documentation of the reasoning for operating outside your existing policy is paramount. Even a quick memo-to-file noting the temporary change in procedure, the time period during which that change will be effective, the criteria considered for that change, how protected health information is continuing to be safeguarded, how staff are informed and monitored of the new process, and including review approval by authority figures within your organization will aid you in the future,” Peth says. “Documenting this type of information, including the reasoning and criteria behind such decisions, will assist your organization in showing good faith per the OCR announcement guidance.”
Regardless of any changes to processes, waivers, or discretion in enforcement, adherence to the minimum necessary standard always is the best course, Peth says. The minimum necessary standard calls on healthcare professionals to make reasonable efforts to ensure any protected health information disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed. Be sure to include in any documentation how the organization is continuing to use the minimum necessary standard.
“Now is not the time to let any of your proactive controls or monitoring processes fall by the wayside. Preventive controls, detective monitoring, and auditing activities are more important than ever,” Peth says. “For example, given the likely increase in public figures in medical facilities, ensure any proactive medical record lockdown of high-profile patients is working well, and continue to monitor audit logs for inappropriate access of medical records. It is vitally important to maintain these processes as they can be your first indicator that a recent change to your privacy processes is creating issues.”
Continuing to perform these tasks also allows the organization to show good faith, Peth adds.
The second focus area involves educating staff and communicating well. Remind both remote and on site staff about existing privacy-related policies, especially those most important given the current situation, Peth advises. However, now is not the time to drone through every single small procedure. Focus on what will affect staff right now on a daily basis. For example, Peth suggests addressing these issues:
- Review the overall privacy and security rules, any state-level laws and regulations, and contract requirements at a high level as they relate to the organization.
- Review the employee conduct code.
- Review how employees can contact the chief compliance officer and/or privacy officer directly.
- Review how employees can use any anonymous reporting mechanism, such as a hotline.
- Provide examples of issues staff may see right now that would be of concern and should be reported.
By using relatable examples that are unique to staff, this education will not only help prevent staff from inadvertently making these mistakes, but alert them to report any incidences they observe, too. Use current and real-life examples to make sure the message hits home.
Those examples might include pictures on social media of remote workspaces, pictures on social media of the facility environment, unsecured remote meetings with discussion of protected health information (PHI), frustrated remote workers going around existing information technology controls to access files and information they need to do their job if there are technology issues, and record snooping. “Keep records of this additional training and communication, including attendance, and save them with the memo-to-file,” Peth says. “This will assist you in evidencing good faith per the OCR announcement guidance.”
Employees should be trained on the temporary exceptions so that they can apply them during the emergency, says Cori R. Haper, JD, partner with Thompson Hine in Dayton, OH. “Employees should also be reminded that protecting patient privacy, even the privacy of public figures who may be patients, is still required,” she says. “In the midst of a pandemic, it is easy for employees to become distracted and inadvertently disclose PHI.”
Healthcare organizations should make a point of educating their employees about HIPAA waivers and changes in compliance expectations, says W. Reece Hirsch, JD, partner with Morgan Lewis in San Francisco. “There is misunderstanding, and it can be a lot for people to try to digest as they’re trying do their jobs in these conditions. It’s important to be very clear about whether the waiver provisions have been triggered for your organization, and what is considered the minimum necessary deviation for your organization,” Hirsch explains. “It should not be left to the rank and file personnel to assume there are certain waivers.”
Even though hackers still are trying to break through security protocols, the biggest threat to privacy and security remains human error, Borrelli notes. “For example, healthcare administrative staff working remotely sharing a picture of their new home office set-up on social media with protected information visible on their computer monitor or within paperwork on their desk,” she says. “Or, clinical staff sharing photos of a facility setting to show the world what their day-to-day work is like or ... they may accidentally include the face of a patient in the background.”
Remember that even with enforcement discretion, OCR requires covered entities to act in good faith to comply. Part of that is maintaining the highest HIPAA compliance when necessary and not unnecessarily taking advantage of OCR’s response to the pandemic.
“If you are a small entity that is not seeing patients, is it OK for you to relax your standards? I would argue no, there is no exigent circumstance here that would mean shutting down security systems or not requiring staff to verify the identity of those on the phone that would qualify as acting in good faith,” Borrelli says. “If you are a large hospital struggling from the weight of treating multiple COVID-19 patients, the answer may be different.”
Also beware of online threats to HIPAA security. Hackers see the COVID-19 crisis as an excellent opportunity to take advantage of people and systems that are occupied dealing with the crisis, Borrelli says. People are distracted and stressed, their critical thinking is not as attuned as it usually is, so they are more susceptible to phishing and other online attacks. “Add to that a large part of the workforce that has not worked remotely before and the lack of time to deal with the security and privacy controls needed in those environments. It’s a perfect storm for fraud, breaches, and cyber-crime,” Borrelli says.
Huger suggests this is a good time to review HIPAA policies and procedures to look for ways they might be improved. “We are seeing situations that we did not even imagine before, and now they are becoming very real,” Huger says. “This is an opportunity to reassess what you have on paper in light of what your doctors, nurses, and administrators are actually facing right now.” Educating those on the front line about what they can and cannot do regarding HIPAA compliance also is important, Huger says. “There is a very real human element here. Sometimes, people don’t have the luxury of referring to the policy and keeping up with how requirements have changed,” she explains. “Providing some easy-to-understand education is going to be important through this period. The policy might be there, but you might need to help your people understand how it applies now.”
There is a higher risk of some types of HIPAA violations during the pandemic response, says Kristen Rosati, JD, an attorney with Coppersmith Brockelman in Phoenix. “One of the HIPAA compliance problems that likely spike during a healthcare crisis is increased incidence of curiosity viewing,” she notes. “Healthcare personnel want to know if a patient on the floor has tested positive for COVID-19. It’s tempting to look at a patient record, even if the personnel member is not involved in treating the patient. It’s also tempting for personnel with access to the electronic health record to look up neighbors, family members, or perhaps ex-spouses interacting with children. But unless there is a valid treatment reason to have access to the patient’s record, personnel shouldn’t be in the record.”
There also may be a desire to share COVID-19 infection information to protect others, such as fellow employees, first responders, or family members, from becoming infected, Haper says. “This can be accomplished under the new exceptions, but healthcare providers should understand the boundaries of the exceptions so that they can properly apply them at the time an issue arises,” Haper says. “Another issue is the unique situation where the employer is a covered entity that provides testing for COVID-19 and wishes to use the information that one of its employees tested positive to protect other members of the workforce from contracting the disease. Again, this can be accomplished within the boundaries of the public health emergency exceptions, but it raises interesting issues when a company is both an employer and a covered entity.”
Even in the chaos of a pandemic, covered entity providers should try to implement their privacy procedures and adapt those procedures as necessary, says Thomas E. Jeffry, Jr., JD, partner with Arent Fox in Los Angeles. For instance, the minimum necessary rule requires that steps be taken so that persons only have access to the minimum amount of health information necessary based on their role and association with a patient.
“Only key personnel and those directly involved in the treatment and care of COVID-19 patients should have access to the identity of patients and their complete medical record. Because COVID-19 patients are separated from family members upon their admission to the hospital, the hospital should do its best to identify their designated personal representative and health decision surrogate. Communications about the patient should be channeled through that representative.”
While it may not be possible to engage in a private conversation with a patient who is in a hallway because there are no other beds, providers should do what they can to minimize others from hearing, Jeffry says.
Covered entities and their business associates should track disclosures; report any unauthorized uses and disclosures; maintain administrative, physical, and technical safeguards to protect the security of electronic PHI; and limit internal uses and disclosures consistent with its minimum necessary policies. Jeffry says covered entities should plan now for recovering from the pandemic.
“Covered entities should think about the transition back to meeting all HIPAA requirements when the public emergency is removed, particularly with respect to telehealth security requirements,” Jeffry offers.
Huger agrees, saying it will be important to bring employees back to the “normal” HIPAA compliance expectations once OCR revises its requirements after the pandemic slows or ends.
“If OCR is going back to business as usual, how is that going to impact the guidance we gave our staff members during the pandemic? That was then, and this is now. How are we going to get back to where we were with HIPAA compliance?” Huger asks.
Covered entities should plan for additional HIPAA training as soon as the pandemic subsides enough to allow it, suggests Stephanie Winer Schreiber, JD, shareholder with Buchanan Ingersoll & Rooney in Pittsburgh.
All communications about HIPAA compliance during the pandemic, especially any regarding a change in policy or procedures, should emphasize that it applies only “during the period” and “until further notice,” she says.
“It would be a very wise endeavor for healthcare providers to engage in some additional HIPAA training post-COVID 19,” Schreiber recommends. “Start thinking now about what you will need to tell your employees about rolling back to the way you previously addressed HIPAA compliance, what you learned about your program during the crisis. Maybe people can tell you about how your policies and procedures worked.” OCR’s response to the COVID-19 pandemic may yield some long-lasting benefits, says Rose Willis, JD, with Dickinson Wright in Troy, MI. She expects OCR to consider maintaining some of the telehealth changes even after the pandemic subsides.
“We are going to see ... OCR making the rules a little more flexible for telehealth, with things like allowing the use of Skype to conduct a telemedicine consultation,” Willis says. “Before, it may not have been technically compliant from a security perspective, but I think as long as we don’t see any huge problems come up as a result of that, I think we’re going to see more of the flexibility continuing in the future.”