Remember that the pandemic response may create unique Health Insurance Portability and Accountability Act (HIPAA) compliance risks, says Victoria Vance, JD, partner with Tucker Ellis in Cleveland.

Time, staffing, and focus are at a premium, she says, but staying cognizant of patients’ privacy remains important.

Vance offers reminders on how the pandemic response can increase HIPAA compliance risks:

  • Use caution when deploying staff from other departments, offices, or facilities within a health system. This includes bringing back retired healthcare workers or volunteers to work in unfamiliar surroundings. These individuals may need a refresher on the electronic medical record (EMR) systems and the facility’s unique HIPAA policies and resources.
  • In the press of patient care, remember not to share EMR passwords or forget to close patient encounters.
  • Be mindful of the media interest in hospital operations and patient treatment experiences. Designate a point person to serve as the media contact for press statements. Also be careful about the use of photography and videotaping in areas where patients may be identified.
  • Likewise, be cautious in phone encounters. Identify the caller, know with whom you are speaking, and share only minimum necessary information with designated individuals with a right to know about a patient’s condition and status.
  • Remember that compliance with HIPAA may not be enough. Local and state rules could provide additional protections for patient privacy and limitations on disclosure that are more restrictive than HIPAA.

In many instances, treating COVID-19 patients has meant working in conditions that are far from ideal for HIPAA compliance, notes Raymond Krncevic, JD, counsel with Tucker Ellis in Cleveland. Care is provided in overcrowded hospital units, drive-through testing sites, and other suboptimal situations where providers cannot communicate with patients in typically private settings.

“It sounds simple, but in these situations, common sense goes a long way,” Krncevic says.

He offers these suggestions:

  • Talk to patients in hushed voices if there are others standing nearby.
  • Log out of a patient’s medical chart if you are working in an area where the computer screen could easily be viewed by others.
  • Do not share computer passwords.
  • If treating a patient via telehealth link, make sure no one else is within earshot on your end.
  • Even if you are using or disclosing protected health information where patient consent is not required, such as obtaining a consult or submitting data to a local health board, make sure to use only the minimum amount of information necessary to complete the tasks.