The healthcare industry is reeling from the impact of the COVID-19 pandemic.
Not only have organizations been pushed to the limit handling the explosion in cases, but they have also been targeted by ransomware and other cyberattacks at this vulnerable time.
Complying with the Health Insurance Portability and Accountability Act (HIPAA) is the last thing on the minds of healthcare providers and first responders. Yet, they still must comply with the HIPAA rules requiring patient data to be secured and for patients to retain control over their protected health information (PHI).
HIPAA Rules Clarified
HHS’s Office for Civil Rights (OCR) explained that healthcare providers could share COVID-19-related information with law enforcement, paramedics, and public health agencies without an individual’s authorization in certain circumstances. Under normal conditions, HIPAA requires patient consent before a healthcare provider or business associate can share PHI with a third party.
The circumstances in which individual consent is not required to share PHI includes:
- When the disclosure is needed to provide treatment;
- When a notification is mandated by state or local law;
- When a notification is necessary for a public health agency to prevent or control the disease’s spread;
- When first responders may be at risk of infection;
- When the disclosure of PHI is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public; and
- When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual.
Also, OCR said that it would not impose HIPAA penalties on healthcare providers and business associates for “good faith uses and disclosures of PHI” in carrying out public health and health oversight activities, such as the operation of COVID-19 testing sites, during the pandemic.
OCR also clarified that healthcare providers and health plans could contact patients who have recovered from COVID-19 to inform them about donating blood and plasma containing antibodies to help other COVID-19 patients. At the same time, the entities cannot receive any payment from plasma donation centers in exchange for contacting the patient unless the patient authorizes the payment.
Liability Immunity for COVID-19 Countermeasures
HHS Secretary Alex Azar issued a declaration in March under the Public Readiness and Emergency Preparedness Act providing broad immunity to individuals and organizations “against any claim of loss caused by, arising out of, relating to, or resulting from the manufacture, distribution, administration, or use of medical countermeasures” for COVID-19.
Medical countermeasures include any “antiviral, any other drug, any biologic, any diagnostic, any other device, or any vaccine, used to treat, diagnose, cure, prevent, or mitigate COVID–19, or the transmission of [COVID-19] or a virus mutating therefrom, or any device used in the administration of any such product, and all components and constituent materials of any such product.”
Immunity is limited to activities authorized by the federal government as well as any action related to emergency response. However, immunity does not extend to death or personal injury resulting from “willful misconduct” or to foreign entities where the U.S. has no jurisdiction.
HHS followed up the declaration with an advisory opinion issued in April, which clarified some issues. The opinion noted that immunity covers claims for loss in tort or contract and for compliance with federal, state, and local laws and regulations and other legal requirements.
HIPAA Penalties for Telehealth Waived
OCR eased HIPAA enforcement for telehealth. HHS said it would waive HIPAA penalties for healthcare providers that serve patients using telehealth during the COVID-19 pandemic.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said OCR Director Roger Severino. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
This exemption applies to non-public remote communications apps, such as Apple FaceTime, Facebook Messenger, Google Hangouts, WhatsApp, Zoom, and Skype, when used in “good faith” for treatment or diagnosis, “regardless of whether the telehealth service is directly related to COVID-19,” OCR explained. At the same time, public-facing apps, such as TikTok, Facebook Live, Twitch, or a public chat room, do not qualify for the HIPAA enforcement waiver.
The good news is that Dropsuite has you covered when it comes to HIPAA compliance. Our email backup and archiving products meet all HIPAA requirements, regardless of how HHS may modify compliance and enforcement in response to COVID-19.
Dropsuite’s email archiving with backup is a cloud-based email archiving and backup solution for businesses that need to comply with HIPAA requirements, while having their emails securely backed up and accessible.