under stress

Managing HIPAA During the COVID Crisis

Hospitals and healthcare workers across the country are overwhelmed again with the surge of COVID-19 patients. The Atlantic reported a week ago:

According to local news reports, hospitals are already on the brink of being overwhelmed in IowaKansasMinnesotaMissouriMontanaNorth DakotaTexasUtah, and Wisconsin, and officials in many other states warn that their health-care systems will be dangerously stressed if cases continue to rise.

Yesterday 73,014 patients with COVID-19 were hospitalized, a 46% increase from the average two weeks earlier. CBS News reported today that there have been 1 million new cases reported in the last week and Michigan, California, Utah and Missouri are starting to impose stricter stay at home measures to slow the spread and ease the pressure on hospitals and healthcare workers.

Even during the COVID-19 crisis, HIPAA has not been suspended. So how are covered entities and their health care workders expected to stay compliant during the pandemic?

Review the HIPAA Basics and Set Priorities

Commitment to Privacy is a Core Value

While under stress, healthcare workers are more likely to remember and stay committed to general principles, if not detailed requirements. It’s useful to remember that the mission of a HIPAA compliance program is to protect the privacy and security of protected health information (PHI).

Protected Health Information Defined

All workforce members must understand what protected health information (PHI) is so they can protect it.  In general, many people do not realize that PHI is not only information about a person’s health condition, diagnosis, treatment or medication. It is more basic – it is any piece of information that identifies a person and relates to the past present or future provision of health care. Simply a name, a medical i.d. number, or an address, by itself, if it’s connected to the past present or future provision of health care, is PHI. There are eighteen identifiers in HIPAA. Any one of them could be PHI. And PHI includes electronic PHI, which is anything maintained in or transmitted by electronic media.

Remember also, the right to privacy extends beyond death. PHI of a deceased individual is subject to Privacy Rule protection for 50 years following the date of the death.

Patient Right of Access

One of the most important priorities of the Office for Civil Rights (OCR) who enforces HIPAA, is ensuring patients are able to obtain access to their own medical records, easily, without delay and at no or minimum cost. Review the basics of how the right of access should work.

OCR’s Right of Access Initiative was started in 2019 to call attention to this, and there have been eleven investigation settlements in the 15 months since it began.

The Minimum Necessary Standard

The Minimum Necessary Standard is a basic part of HIPAA compliance. Uses, disclosures and requests for PHI must be limited to the Minimum Necessary to accomplish the purpose. Members of the workforce may only be allowed access to the Minimum Necessary PHI they need to carry out their duties.

Talking with Family and Friends

Talking with family and friends may be permitted. The guiding rule about sharing PHI is that it’s the patient’s decision. The easy choice is when the patient has consented in advance on an intake form, to disclosures to a certain relative or friend. If there is no written consent, a health care worker may ask the patient, and if the patient is unable to respond, the health care worker may exercise their professional judgment that speaking with a family member or friend is in the patient’s best interest.

Watch for Phishing Schemes that Exploit COVID-19 Fear

There have been repeated warnings about cybercriminals taking advantage of the COVID pandemic by using fear to trick people into clicking attachments or links within an email. Workforce members should be reminded to Think Before You Click and slow down when it comes to email and texts.

Ask an Expert for Help

Every hospital or other healthcare facility should have a HIPAA Compliance person who can answer basic questions.

Another option is to call us at The HIPAA E-Tool®. You don’t need to buy anything – if you have a question, basic or more complicated – we can help.

Photo by JESSICA TICOZZELLI from Pexels

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU