Hospitals and healthcare workers across the country are overwhelmed again with the surge of COVID-19 patients. The Atlantic reported a week ago:
According to local news reports, hospitals are already on the brink of being overwhelmed in Iowa, Kansas, Minnesota, Missouri, Montana, North Dakota, Texas, Utah, and Wisconsin, and officials in many other states warn that their health-care systems will be dangerously stressed if cases continue to rise.
Yesterday 73,014 patients with COVID-19 were hospitalized, a 46% increase from the average two weeks earlier. CBS News reported today that there have been 1 million new cases reported in the last week and Michigan, California, Utah and Missouri are starting to impose stricter stay at home measures to slow the spread and ease the pressure on hospitals and healthcare workers.
Even during the COVID-19 crisis, HIPAA has not been suspended. So how are covered entities and their health care workders expected to stay compliant during the pandemic?
Review the HIPAA Basics and Set Priorities
Commitment to Privacy is a Core Value
While under stress, healthcare workers are more likely to remember and stay committed to general principles, if not detailed requirements. It’s useful to remember that the mission of a HIPAA compliance program is to protect the privacy and security of protected health information (PHI).
Protected Health Information Defined
All workforce members must understand what protected health information (PHI) is so they can protect it. In general, many people do not realize that PHI is not only information about a person’s health condition, diagnosis, treatment or medication. It is more basic – it is any piece of information that identifies a person and relates to the past present or future provision of health care. Simply a name, a medical i.d. number, or an address, by itself, if it’s connected to the past present or future provision of health care, is PHI. There are eighteen identifiers in HIPAA. Any one of them could be PHI. And PHI includes electronic PHI, which is anything maintained in or transmitted by electronic media.
Remember also, the right to privacy extends beyond death. PHI of a deceased individual is subject to Privacy Rule protection for 50 years following the date of the death.
Patient Right of Access
One of the most important priorities of the Office for Civil Rights (OCR) who enforces HIPAA, is ensuring patients are able to obtain access to their own medical records, easily, without delay and at no or minimum cost. Review the basics of how the right of access should work.
OCR’s Right of Access Initiative was started in 2019 to call attention to this, and there have been eleven investigation settlements in the 15 months since it began.
The Minimum Necessary Standard
The Minimum Necessary Standard is a basic part of HIPAA compliance. Uses, disclosures and requests for PHI must be limited to the Minimum Necessary to accomplish the purpose. Members of the workforce may only be allowed access to the Minimum Necessary PHI they need to carry out their duties.
Talking with Family and Friends
Talking with family and friends may be permitted. The guiding rule about sharing PHI is that it’s the patient’s decision. The easy choice is when the patient has consented in advance on an intake form, to disclosures to a certain relative or friend. If there is no written consent, a health care worker may ask the patient, and if the patient is unable to respond, the health care worker may exercise their professional judgment that speaking with a family member or friend is in the patient’s best interest.
Watch for Phishing Schemes that Exploit COVID-19 Fear
There have been repeated warnings about cybercriminals taking advantage of the COVID pandemic by using fear to trick people into clicking attachments or links within an email. Workforce members should be reminded to Think Before You Click and slow down when it comes to email and texts.
Ask an Expert for Help
Every hospital or other healthcare facility should have a HIPAA Compliance person who can answer basic questions.
Another option is to call us at The HIPAA E-Tool®. You don’t need to buy anything – if you have a question, basic or more complicated – we can help.