The pandemic is forcing change in healthcare. Thoughtful debates are raging about these changes. Are we doing enough, can we move faster, is the public good more important than individual rights, does privacy still matter? Whether the subject is testing, resource allocation, Medicare reimbursement, or technology, HIPAA, and the values it represents are front and center.
Privacy matters as much as ever and yet HIPAA’s privacy and security protections are being challenged in new ways. So is the Centers for Medicare and Medicaid Services (CMS), the agency that administers Medicare and works with the states to administer Medicaid. CMS also has a role in the administration of HIPAA standards. The U.S. Department of Health and Human Services (HHS) has responded rapidly, issuing numerous bulletins, and enforcement announcements since January to help guide healthcare organizations. HHS is a huge bureaucracy and yet, its response on HIPAA policy has been remarkably nimble.
HIPAA has Flexibility Built In
One of the earliest bulletins issued by HHS, from the Office for Civil Rights, in February, 2020, was a reminder of how existing HIPAA rules balance privacy with appropriate uses and disclosures. For example, the February bulletin describes how protected health information (PHI) may be used or shared for treatment purposes, for public health activities, and to family and friends, without individual authorization.
About a month later OCR issued a COVID-19 and HIPAA bulletin for law enforcement, first responders and public health authorities. Again, this simply outlined existing HIPAA rules that permit the disclosure of PHI without individual authorization. Examples include: when a disclosure is needed for treatment (a nursing home may share PHI with first responders transporting a patient to the ER); disclosure to a public health authority (the CDC, a state or local public health department) to prevent or control spread of disease; or disclosure to a first responder or police officer who may have been exposed.
HIPAA Modified Under COVID-19
OCR and CMS have both issued other bulletins describing changes due to the pandemic. So far these are temporary. One example is a set of waivers for hospitals during a declared public health emergency. This is the latest in a series of similar waiver announcements we have seen for hurricane disasters every September for the past several years. A more significant, and new, change is related to telehealth and telemedicine.
Telehealth and Telemedicine
Technology for remote communications over the internet has been with us for years, but for healthcare, challenges to privacy and security had prevented telemedicine from becoming mainstream. The pandemic has accelerated the change. Although for now these changes are temporary, COVID-19 is the tipping point that will mainstream telehealth and telemedicine.
Recognizing that remote communications can help social distancing, and reach patients in remote locations, in March OCR issued its first bulletin expanding the use of telemedicine.
CMS followed up in early April with sweeping program revisions in response to COVID-19, to promote the use of telehealth. The CMS changes, among other things, permit reimbursements for treatment using telehealth that were not permitted before the pandemic.
Telemedicine is a key tool for patient engagement, allowing immediate, effective and economical treatment for patients at home. Both patients and providers benefit. The law, and healthcare policy, need to catch up.
HIPAA Protects Privacy and Security
The pandemic is challenging us to think about ways to track the disease, monitor individuals’ health status and make policy decisions based on what is known about its spread. Some have framed the debate around HIPAA changes as technology vs. law and policy, with competing approaches and values. But in the United States, both technology experts and lawmakers still share the view that privacy still matters.
Experts debating the lack of privacy underscore individual privacy is still of major importance for all Americans. Solutions to both manage the pandemic and protect privacy will be complex and will take time. But HIPAA itself is flexible and the federal agencies who administer health policy have shown they can adapt.
HIPAA is not going away, but will continue to change, as it has over the past two decades. Under the pressure of COVID-19, the change will accelerate, because patient-centered care and privacy are the bedrock of quality healthcare.