Last month, HHS announced a limited waiver of HIPAA sanctions and penalties during COVID-19.
The waived sanctions and penalties, effective March 15, include those for failing to obtain a patient’s agreement before speaking with family members or friends involved in their care and failing to distribute a notice of privacy practices, among others. In addition, physicians practicing telemedicine are now effectively permitted to use popular software such as FaceTime and Skype to conduct virtual patient visits.
For more detailed information on how HIPAA privacy disclosures are permitted under emergency situations, please read pages 17-23 in the slides that accompanied this webinar.
Frequently asked questions
What disclosures are we permitted to make to public authorities relating to COVID-19 cases?
Physicians may disclose PHI about suspected COVID-19 patients to public health authorities that are authorized by law to receive it, based on the “minimum necessary” standard. Some states require these disclosures.
What about responding to the media?
Disclosures to the media are not permitted unless authorization is provided by the patient. However, physicians can share de-identified information such as the number of patients being treated.
What about the risks of internal staff access?
Staff are not permitted to access patient records unless it is necessary for their job.
Physicians should make sure their staff are aware that everything done within an EHR system is tracked.
Audit logs must be reviewed periodically by the appointed HIPAA Security Officer or other designee.
Impact on telemedicine
Following the good faith provision of HIPAA Rules on telehealth, as of March 17 and throughout the COVID-19 pandemic, there will be no OCR-imposed penalties for HIPAA noncompliance.
What does good faith mean?
From OCR: “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.”
Example: a physician exercising their professional judgement may examine a patient via a video chat application.
What is a non-public facing remote communication product?
These include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video and Skype (a list of other accepted technologies can be found on page 39 of the slide deck).
Facebook Live, Twitch, TikTok, and similar video communication applications are public facing and should not be used in the provision of telehealth by covered health care providers.
Countering the risks of telemedicine
Little and Tuttle recommend putting a telecommuting policy in place at your office, emphasizing the following points:
Protecting protected health information (PHI), electronic protected health information (EPHI) and the other confidential information is every employee’s responsibility.
Any practice or patient-related materials taken to the remote work area should be maintained in your designated remote work area and not be made accessible to others.
All confidential information, including PHI and EPHI, will only be accessed through and stored within the practice’s internal network or cloud-hosted electronic health records (EHR) system.
Additionally, keep your voice low when speaking to a patient, and don’t use speaker phones.
Do not copy or store protected health information on home computers or laptops.
Ensure any wireless use is encrypted by avoiding public WiFi and making sure any portable laptop which maintains PHI is fully encrypted. If that’s not possible, file or folder-level encryption should be used.
If you are not able to access a network drive or EHR system, but have the need to save files locally to the computer, notify the HIPAA Security Official or practice manager to discuss available options.
Encryption must be used when transmitting PHI where possible.
If a patient requests their information be sent via non-encrypted means, such as texting, they should acknowledge the risk of this type of transmission and opt in.
Texting of PHI among staff members should never be done without encryption.
Beware of hackers
Unfortunately, hackers have taken advantage of this pandemic. Their risks are low and their rewards are high. To make sure your office is prepared, educate all staff members on common-sense cybersecurity measures and how hackers leverage spoof emails.
Be aware of ransomware, a type of virus that comes through emails that attacks databases and folders on your computers and requires you to pay a hacker in bitcoin for an encryption key. The OCR classifies ransomware attacks on non-encrypted folders with health information in them as HIPAA breaches. Safe Harbor may apply if a folder is encrypted and hacked anyway.
There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations, Little and Tuttle note. This means you do not have a right to sue based on a violation of HIPAA by itself.
Nonetheless, physicians must stay diligent. If you are negligent and do not meet “good faith” requirements, you can be held accountable for civil violations of state negligence laws. Cases of these violations are creating precedence.
If a HIPAA violation resulted in damages, meaning a patient suffered some kind of verifiable financial loss, slander or defamation, they may have a civil claim against the individual who violated their HIPAA rights.