Happy National Osteopathic Medicine Week! JOIN THE CELEBRATION
Understanding the OCR's new COVID-19 guidance on HIPAA and the federal civil rights laws, as it pertains to telemedicine.
The AOA webinar below, featuring Lee Hamil Little, JD & Brian Tuttle, CPHIT, CPA, CHA, CBRA, CISSP, was recorded on April 6, 2020.
Last month, HHS announced a limited waiver of HIPAA sanctions and penalties during COVID-19.
The waived sanctions and penalties, effective March 15, include those for failing to obtain a patient’s agreement before speaking with family members or friends involved in their care and failing to distribute a notice of privacy practices, among others. In addition, physicians practicing telemedicine are now effectively permitted to use popular software such as FaceTime and Skype to conduct virtual patient visits.
For more detailed information on how HIPAA privacy disclosures are permitted under emergency situations, please read pages 17-23 in the slides that accompanied this webinar.
What disclosures are we permitted to make to public authorities relating to COVID-19 cases?
What about responding to the media?
What about the risks of internal staff access?
Following the good faith provision of HIPAA Rules on telehealth, as of March 17 and throughout the COVID-19 pandemic, there will be no OCR-imposed penalties for HIPAA noncompliance.
What does good faith mean?
What is a non-public facing remote communication product?
Little and Tuttle recommend putting a telecommuting policy in place at your office, emphasizing the following points:
Unfortunately, hackers have taken advantage of this pandemic. Their risks are low and their rewards are high. To make sure your office is prepared, educate all staff members on common-sense cybersecurity measures and how hackers leverage spoof emails.
Be aware of ransomware, a type of virus that comes through emails that attacks databases and folders on your computers and requires you to pay a hacker in bitcoin for an encryption key. The OCR classifies ransomware attacks on non-encrypted folders with health information in them as HIPAA breaches. Safe Harbor may apply if a folder is encrypted and hacked anyway.
There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations, Little and Tuttle note. This means you do not have a right to sue based on a violation of HIPAA by itself.
Nonetheless, physicians must stay diligent. If you are negligent and do not meet “good faith” requirements, you can be held accountable for civil violations of state negligence laws. Cases of these violations are creating precedence.
If a HIPAA violation resulted in damages, meaning a patient suffered some kind of verifiable financial loss, slander or defamation, they may have a civil claim against the individual who violated their HIPAA rights.
Security Risk Assessment Tool from HealthIT.gov.
HIPAA Administrative Simplification from HHS.
If you are audited by HIPAA, this is their protocol.
When in doubt, always fact check with HHS, and always check their information against your state’s laws.