HIPAA Privacy and Novel Coronavirus (COVID-19)
In February 2020, the OCR released a bulletin providing guidance related to the Novel Coronavirus better known as COVID-19. OCR expects Covered Entities and Business Associates to make reasonable efforts to protect patient privacy and secure information even during a pandemic.
During such a time, the HIPAA Privacy Rule still applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce.
- Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.
- A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.
Covered entities and business associates must consult other applicable laws (e.g., state and local statutes and regulations) in their jurisdiction prior to using or making disclosures of individuals’ Protected Health Information (PHI), as such laws may place further restrictions on disclosures that are permitted by HIPAA.
OCR Announcements Related to COVID-19
The Office for Civil Rights (OCR) is the government agency tasked with HIPAA enforcement in the United States. During the COVID-19 public health emergency, OCR has provided guidance that helps to explain civil rights laws as well as how the HIPAA Privacy Rule allows patient information to be shared in the outbreak of an infectious disease and to assist patients in receiving the care they need.
Since the COVID-19 outbreak, OCR has maintained a website filled with applicable guidance, bulletins and numerous documents related to Notification of Enforcement Discretion in English and Spanish. Click Here to go to the OCR’s webpage and download all the information that is applicable to your organization.
Minimum Necessary Remains Even in a Crisis
For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.
Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information (PHI) about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.
HIPAA Security Considerations During a Health Care Crisis
An increase in telehealth and virtual visits means an increase in hacking, smishing and phishing attacks. As phishing, vishing and smishing attempts increase, they are likely to utilize health guidance, containment instructions or infection-rate news to lure unsuspecting individuals to click links or open attachments containing malware or other potential threats.
As organizations become increasingly reliant on email communications for continued operation, there is also an anticipated increase in actors mimicking these communications. Organizations should guard against these attacks through standardization of formal employee communications to help employees more easily discern threats.
CISA Encourages Heightened Cybersecurity Measures
CISA is the government’s Cybersecurity and Infrastructure Security Agency. As the threat of malicious cyber activity increases in times of crisis, the Cybersecurity and Infrastructure Security Agency continues to use U.S. cyber intelligence and real-world events to provide background information (Insights) on the particular cyber threats and vulnerabilities they exploit, as well as a ready-made set of mitigation activities that non-federal partners can implement.
One of CISA’s Insights on Risk Management for Novel Coronavirus (COVID-19) further explains their role as the nation’s risk advisor and discusses the COVID-19 Risk Profile. This guide also provides additional insights to help executives as they contemplate the physical, supply chain, and cybersecurity issues that may arise from the spread of COVID-19.
The guide offers information on actions for infrastructure protection, actions for supply chains, cybersecurity for organizations, and cybersecurity actions for the workforce and consumers.
Additional insights from CISA are located at: https://www.cisa.gov/insights
As this country continues to strive to protect the rights of its citizens, maintaining safety of the workforce and treating patients with a potentially lethal virus will continue to pose huge risks and challenges to maintain compliance.
We hope that you continue to use the American Institute of Healthcare Compliance Blog as a resource to review government RSS feeds and articles on current events, such as this. For COVID-19 online information and training, go to our website www.aihc-assn.org.