2020 was an unexpected year in so many industries but arguably none more than the healthcare industry. Public health has dominated the headlines and our day-to-day discussions throughout almost all of 2020. These conversations have also brought up HIPAA into more mainstream conversations than typical but even more than that, the events of the previous year have brought up many new topics within the world of HIPAA itself.
A few themes of the year in terms of HIPAA have been the specific COVID-19 guidance, continued and consistent Right of Access Initiative settlements and the Notice of Proposed Changes to the Privacy Rule. We’ll give you all the high points below as a 2020 HIPAA Year in Review!
COVID-19 Guidance from the OCR
The outbreak of the COVID-19 pandemic has presented unique challenges for all HIPAA covered entities and business associates and has required specific exceptions and direction from the Office of Civil Rights (OCR) underneath the Department of Health and Human Services (HHS).
Enforcement Discretion & Waiver
Within a week of the World Health Organization (WHO) declaring COVID-19 as a global pandemic, the first public health emergency related announcement was made by the OCR. In this press release, the OCR made it clear that they would begin to use discretion in their enforcement of HIPAA and waive potential violations of the law as it relates to the quick switch to using telehealth communication technology to continue to serve patients in this new manner. As long as organizations are practicing good faith in using these services only as needed and maintaining the security of protected health information (PHI) as much as possible, then the OCR will use discretion in punishing potential related HIPAA violations. More details about this key waiver can be found here: https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.
Just under a month after the initial notice of the enforcement waiver, the OCR sent out another press release that included “Community Based-Testing Sites” (CBTS) in the potential violation discretion. This add-on was clear to include all mobile, drive-through or walk-up testing sites that were temporarily erected to only provide COVID-19 testing to the public.
PHI Disclosure Guidance Related to COVID-19 Exposure
One HIPAA-related issue that has continued to be brought up in discussions is that of how the law and regulations apply in terms of someone’s infection with or exposure to COVID-19. This is particularly as it relates to law enforcement, paramedics, other first responders and public health authorities as they seek to make wise decisions and take extra precautions in situations where they may be exposed. The OCR’s statement provided a few examples in which a covered entity may reveal this specific form of PHI outside of the typical bounds of PHI. Those situations include when treatment is needed, when the law requires it, when it places first responders at risk of exposure or when disclosure is needed to prevent a serious threat.
Media Access to Facilities Holding PHI
As the public health crisis has continued, HIPAA has been brought up in countless headlines as it relates to the media’s ability to access or distribute a patient’s COVID-19 related PHI. In early May the OCR released a statement about this very issue. They clarified that just as it was before the pandemic, each patient must give their HIPAA authorization that they condone their information being shared with the media before the media is provided any access to that PHI. As we have previously discussed through topics like HIPAA photography, a person’s likeness - even if hidden by a mask or a blurred edit - cannot be accessed by the media without that person’s clear authorization. Public health professionals have been working tirelessly to protect and take care of COVID-19 patients from further symptoms but they also must protect them from a film or media crew capturing them without patient-given permission.
Right of Access Initiative Settlements
Anyone that keeps an eye on the HIPAA violation settlements would be able to see the clear trend over the past year - the Right of Access Initiative. The HIPAA Right of Access Initiative was announced in 2019 but nearly all of the settlements that have been reached underneath this initiative occurred in 2020. In fact, out of the 14 total settlements that were reached under HIPAA throughout the year, 12 of them were reached under this initiative. That's over 80% of the focus of the HIPAA violation settlements in one year which follows through on their promise to “vigorously enforce” this initiative.
“Patients can’t take charge of their healthcare decisions, without timely access to their own medical information,” said Roger Severino, the OCR Director in a 2020 press release. The high concentration of Right of Access settlements are all “about empowering patients and holding health care providers accountable for failing to take their HIPAA obligations seriously enough.” Throughout 2020 it has remained clear that the OCR is going to continue to take patients' right of access very seriously, even to the point of considering making adjustments to the legislation to support this.
Potential Upcoming Changes to HIPAA
In December, just before the end of 2020 OCR underneath the Department of Health and Human Services (HHS) released a notice of proposed changes to the HIPAA Privacy Rule. These suggested changes have not been passed as law yet as they are in the 60 day comment period, however, they can still offer us clear guidance on where the changes to HIPAA may trend in the future. In February of 2021, we should see what next steps will be taken to further these proposed changes, check back to the blog around that time for any updates!
The central goal and intent behind the proposed updates to the HIPAA Privacy Rule are to increase the efficiency and effectiveness of the healthcare system by improving the process of patients accessing their own health information upon request, without providing additional strain or weight on the healthcare professionals themselves. Some of the specifics of these proposed changes are as follows
- Increased Options for Patients to Access Their PHI
- A Shorter Window for Covered Entities to Fulfill PHI Requests
- Streamlined PHI Request Completion Process
- More Transparency in PHI Fee Chart
End of Year Reflection
2020 was a busy and, dare we say, unprecedented year in many different respects but certainly in terms of public health and HIPAA guidance and enforcement. There was a gap in Resolution Agreements reached between covered entities and the OCR from the end of 2019 all the way until March of 2020. Having a period of time without settlements is not entirely uncommon, and doesn’t mean that the OCR isn’t actively investigating but rather that the resolutions haven’t been completed yet.
Despite this break, 2020 still ended up reaching more settlements and consistent enforcement than in the past couple years. HIPAA has risen as a more common word in headlines and media conversations than we have ever seen before. As the eyes turn to the healthcare industry, the OCR has continued to release helpful information, guidance, and discretion when necessary in order to enforce HIPAA but still allow flexibility as needed in this unique circumstance.