By: Steven Boyne
The COVID-19 virus has and will probably continue to change the way healthcare providers and business associates interact and help their patients. As many providers are aware, a HIPAA violation is a serious issue, and can cost a healthcare entity large amounts of time and money to respond to any regulatory investigation. Recognizing that the COVID-19 pandemic has strained every corner of the economy and is THE MOST IMPORTANT issue for almost every industry, the federal government has rolled back some HIPAA protections. It is unclear how long these rollbacks will last, and it is possible that some of them may be permanent, but for now healthcare providers and their business associates can take some comfort that they can focus on delivering care and not dealing with overly burdensome regulations and investigations. The major changes include:
- Telehealth. Changes include allowing physicians and other healthcare providers to offer telehealth services across State lines, so State licensing issues should not be a concern. Additionally, Providers are essentially free to choose almost any app to interact with their patients, even if it does not fully comply with the HIPAA rules. The HHS allows the provider to use their business judgment, but of course, such communications should NOT be public facing – which means DO NOT allow the public to watch or participate in the visit!
- Disclosures of Protected Health Information (PHI). A good faith disclosure of such information will not be prosecuted. Examples include allowing a provider or business associate to share PHI for such purposes as controlling the spread of COVID-19, providing COVID-19 care, and even notifying the media, even if the patient has not, or will not grant his or her permission.
- Business Associate Agreement (BAA). As most healthcare providers know, a BAA agreement between a provider and an entity that may have access to PHI is required by law. During the COVID-19 pandemic, the lack of a BAA is not an automatic violation.
Pitfalls. While all of these waivers and relaxations make a lot of sense during this pandemic, a healthcare provider can still get into trouble for a HIPAA violation. The following are some pitfalls to be aware of:
- The federal government has allowed providers and other companies to essentially use good faith to make decisions about the disclosure of PHI. This means that at some point the Office of Civil Rights, the enforcer of the HIPAA rules, may come back and ask about how and why a decision was made. This means that decisions should be documented at the time they were made.
- If a business associate of a covered entity (like a physician’s office) has disclosed PHI and the disclosure was made in good faith, then within ten (10) days of the disclosure the business associate should notify the covered entity.
- Even though the rules are loosened with respect to BAAs, the provider should within a reasonable amount of time attempt to have a BAA in place between the parties.
- With the exception of telehealth services, disclosure of PHI that in no way is related to COVID-19 has NOT been relaxed, so providers and business associates should continue use their best practices.
Finally, when this pandemic is over, some waivers and relaxations may continue in place, but others will revert to the original rules, so pay attention to the ever changing rules on HIPAA.
Download a quick reference guide to avoiding HIPAA violations during COVID-19.