Since the COVID-19 pandemic began, the healthcare system has been in a state of shock and uncertainty. The overloaded healthcare system is compelled to make judgments that may compromise patient privacy and safety by disclosing personal information such as test results, diagnoses, or hospital admission and discharge information.
The capacity of the healthcare system has increased as a result of temporary structures, telehealth healthcare delivery, and testing sites. At the same time, the amount of healthcare data has been increasing at an unprecedented rate due to the fast digitization and digitalization of the healthcare sector.
This, combined with the increasing use of mobile technology and a greater emphasis on privacy and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards, has resulted in a unique set of issues surrounding medical and personal data.
In this post, we will focus on how COVID-19 has been affecting patient privacy and HIPAA compliance regulations as well as the flexibility provided by the Department of Health and Human Services (HHS) in response to the pandemic.
HIPAA and COVID-19
HIPAA is a set of standards meant to secure sensitive patient health information. While the Privacy Rule seeks to safeguard the privacy of protected health information (PHI), specifies the conditions under which PHI may be exchanged or revealed, and provides individuals with rights regarding their PHI, the Security Rule establishes requirements for protecting PHI kept or transmitted in electronic form.
HIPAA compliance policies should require the retention and management of a person’s medical records in line with the HIPAA Rules. However, during public health or other crises, the Secretary of HHS may waive some HIPAA Rules fines and penalties. As a result, the HHS and the Office for Civil Rights (OCR) have taken steps to relax some HIPAA rules, substantially extending the opportunity to contact patients and potentially influencing the COVID-19 pandemic:
- OCR issued notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency on March 17, 2020. On March 20, 2020, OCR also issued guidance in the form of frequently asked questions (FAQ) to clarify how the Notification is to be implemented.
- On March 24, 2020, OCR published new advice on how the personal health information (PHI) of a person infected with or exposed to COVID-19 can be shared with law enforcement, paramedics, other first responders, and public health authorities in compliance with the Privacy Rule.
- On April 2, 2020, OCR used its enforcement discretion and decided not to impose penalties for Privacy Rule violations resulting from business associates’ good faith uses and disclosures of PHI for public health and health supervision purposes during the COVID-19 pandemic.
- OCR declared that it will not impose penalties for HIPAA Rule breaches related to good faith participation in the operation of COVID-19 testing facilities during the COVID-19 pandemic. This notification of enforcement discretion was issued by OCR on April 9, 2020, with retroactive effect to March 13, 2020.
- On January 19, 2021, OCR decided not to enforce penalties for HIPAA Rule breaches related to the good faith use of online or web-based scheduling apps (WBSAs) for the sole purpose of scheduling individual appointments for COVID-19 vaccines during the COVID-19 pandemic.
Emerging Technologies and HIPAA
We appear to have overcome the shock of our initial experience with the COVID-19 pandemic and resolved the dilemma between the response to pandemic and patient privacy as a result of the fast adaptation in the healthcare system. However, the COVID-19 pandemic has made it abundantly obvious that there may be circumstances in which we must approach patient health information privacy and security in novel ways.
The pandemic has accelerated the adoption of new technologies both in routine practice and in our daily lives. While improvements in healthcare technologies, due in part to advancements in artificial intelligence and machine learning, have been a benefit to healthcare systems throughout the world, there may be some unanticipated problems with their usage regarding data privacy.
Therefore, watching how our laws are adaptable to the rapid advancement of technology in healthcare will be essential moving forward.