data privacy worldwide

COVID-19 Challenges and Strengthens HIPAA

The pandemic is forcing change in healthcare. Thoughtful debates are raging about these changes. Are we doing enough, can we move faster, is the public good more important than individual rights, does privacy still matter? Whether the subject is testing, resource allocation, Medicare reimbursement, or technology, HIPAA, and the values it represents are front and center.

Privacy matters as much as ever and yet HIPAA’s privacy and security protections are being challenged in new ways. So is the Centers for Medicare and Medicaid Services (CMS), the agency that administers Medicare and works with the states to administer Medicaid. CMS also has a role in the administration of HIPAA standards. The U.S. Department of Health and Human Services (HHS) has responded rapidly, issuing numerous bulletins, and enforcement announcements since January to help guide healthcare organizations. HHS is a huge bureaucracy and yet, its response on HIPAA policy has been remarkably nimble.

HIPAA has Flexibility Built In

One of the earliest bulletins issued by HHS, from the Office for Civil Rights, in February, 2020, was a reminder of how existing HIPAA rules balance privacy with appropriate uses and disclosures. For example, the February bulletin describes how protected health information (PHI) may be used or shared for treatment purposes, for public health activities, and to family and friends, without individual authorization.

About a month later OCR issued a COVID-19 and HIPAA bulletin for law enforcement, first responders and public health authorities. Again, this simply outlined existing HIPAA rules that permit the disclosure of PHI without individual authorization. Examples include: when a disclosure is needed for treatment (a nursing home may share PHI with first responders transporting a patient to the ER); disclosure to a public health authority (the CDC, a state or local public health department) to prevent or control spread of disease; or disclosure to a first responder or police officer who may have been exposed.

HIPAA Modified Under COVID-19

OCR and CMS have both issued other bulletins describing changes due to the pandemic. So far these are temporary. One example is a set of waivers for hospitals during a declared public health emergency. This is the latest in a series of similar waiver announcements we have seen for hurricane disasters every September for the past several years. A more significant, and new, change is related to telehealth and telemedicine.

Telehealth and Telemedicine

Technology for remote communications over the internet has been with us for years, but for healthcare, challenges to privacy and security had prevented telemedicine from becoming mainstream. The pandemic has accelerated the change. Although for now these changes are temporary, COVID-19 is the tipping point that will mainstream telehealth and telemedicine.

Recognizing that remote communications can help social distancing, and reach patients in remote locations, in March OCR issued its first bulletin expanding the use of telemedicine.

CMS followed up in early April with sweeping program revisions in response to COVID-19, to promote the use of telehealth. The CMS changes, among other things, permit reimbursements for treatment using telehealth that were not permitted before the pandemic.

Telemedicine is a key tool for patient engagement, allowing immediate, effective and economical treatment for patients at home. Both patients and providers benefit. The law, and healthcare policy, need to catch up.

HIPAA Protects Privacy and Security

The pandemic is challenging us to think about ways to track the disease, monitor individuals’ health status and make policy decisions based on what is known about its spread. Some have framed the debate around HIPAA changes as technology vs. law and policy, with competing approaches and values. But in the United States, both technology experts and lawmakers still share the view that privacy still matters.

Experts debating the lack of privacy underscore individual privacy is still of major importance for all Americans. Solutions to both manage the pandemic and protect privacy will be complex and will take time. But HIPAA itself is flexible and the federal agencies who administer health policy have shown they can adapt.

HIPAA is not going away, but will continue to change, as it has over the past two decades. Under the pressure of COVID-19, the change will accelerate, because patient-centered care and privacy are the bedrock of quality healthcare.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124