How a Pandemic Impacts HIPAA Requirements
As healthcare business professionals, we have been trained in the importance of following HIPAA privacy and security requirements. As coders, auditors, and health information services professionals we are bound by the HITECH Act of 2009, which outlines the responsibilities of “business associates” with respect to HIPAA requirements. As business associates, we are required to “appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.”
We are now directed to share protected data with scientists and experts during the COVID-19 pandemic. We are told that data is key to reducing the spread of COVID-19, in creating treatments and vaccines, and ultimately in understanding how to mitigate or prevent the next public health crisis. With that in mind, what are we now allowed to share?
HIPAA Changes During COVID-19
In February 2020, the Office of Civil Rights released a bulletin directing covered entities and their business associates on how they can release patient data during the pandemic:
February 2020 Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPAA Privacy and Novel Coronavirus
Treatment: Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.
An important caveat here: This change applies during the public health emergency (PHE) for COVID-19 only. Once the PHE ends, this bulletin will likely be rescinded or updated.
The bulletin allows private health information (PHI) to be shared in certain circumstances absent patient consent:
Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:
To a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. … For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCOV).
Other changes that impact HIPAA during the pandemic include:
- If the patient is unconscious, PHI may be shared by clinicians if it is in the best interest of the patient.
- Disaster relief organizations (Red Cross, etc.) may have access to PHI without a patient’s consent if they are unable to do their job during an emergency without it.
- Providers may share patient information with anyone required to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
Care should be taken to get permission whenever possible; unfortunately many hospitalized COVID-19 patients are unable to give consent. PHI (e.g., specific tests, test results, or details of a specific illness or treatment) should not be released to the media without patient consent or consent by a family member representing the patient.
HIPAA Requirements In Place During COVID-19 PHE
While the privacy requirements have eased to make critical data available during the crisis, some elements of HIPAA have not changed. “Minimum necessary” still applies unless it’s for disclosure to another healthcare provider for treatment purposes. In the special instance of COVID-19 the bulletin explains:
“A covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose. In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”
While the pandemic is impacting some of the privacy elements of HIPAA, the security requirements have not changed. Covered entities (and their business associates) must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.
As the pandemic progresses, the U.S. government continues to release new directions, rules, and laws.
On April 2, 2020, the Office for Civil Rights announced:
“Effective immediately, that it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities during the COVID-19 nationwide public health emergency.
“This Notification was issued to support Federal public health authorities and health oversight agencies, like the Centers for Disease Control and Prevention (CDC) and Centers for Medicare and Medicaid Services (CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI. The HIPAA Privacy Rule already permits covered entities to provide this data, and today’s announcement now permits business associates to also share this data without risk of a HIPAA penalty.”
This was a critical announcement made to reassure covered entities and business associates that they would not be prosecuted under HIPAA rules when they released PHI as required by public health initiatives and the CDC.
As the crisis continued, the government published additional steps and actions about HIPAA and the allowed disclosure of PHI.
On April 21, 2020, the Library of Congress published information clarifying data sharing and privacy further:
H.R. 6585: Equitable Data Collection and Disclosure on COVID-19 Act
“This bill establishes the Commission on Ensuring Health Equity During the COVID-19 Public Health Emergency and adds reporting requirements for certain demographic data related to COVID-19 (i.e., coronavirus disease 2019).
“Among other activities, the commission must (1) determine approaches to using data to reduce demographic disparities in COVID-19 prevalence and outcomes, and (2) submit findings and recommendations to Congress on a specified timeline until the end of the public health emergency.
“During the public health emergency, the Centers for Disease Control and Prevention (CDC) and the Centers for Medicare & Medicaid Services must publish, and update daily, data on COVID-19 testing, treatment, and outcomes that is disaggregated by race, ethnicity, and other demographic characteristics on the CDC website. In addition, the Indian Health Service shall consult with tribes with respect to COVID-19 data collection and reporting. The Department of Health and Human Services must make a summary of final statistics related to COVID-19 publicly available and report specified information to Congress within 60 days of the end of the public health emergency.”
This document ensures that at the end of the crisis, Congress will be able to review the statistics gathered from reported data during the pandemic. At that time, Congress will also be able to determine if HIPAA privacy requirements are to revert to pre-COVID rules.
What Does the Future Hold?
Some public health officials argue that there is not enough access to patient data in the timeliest fashion required to make critical decisions regarding mitigation efforts. With the expected second wave of infections expected this fall, and with the possibility of schools reopening, there likely will remain a high demand for healthcare data. Perhaps the experts will draft a special data sharing act that can be immediately implemented if required. Until then, we work within the modified privacy data release allowed by the bulletin.
The Centers for Medicare & Medicaid Services (CMS) has been compiling COVID-19 data on Medicare patients and recently released a data snapshot using the information gathered in the early weeks of the pandemic. It is interesting to review the report to see how the data is utilized by public health officials.
Flexibility is always an important skill, but more so now than ever before. Stay tuned for more updates and changes as the experience with the pandemic progresses.
OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency