HIPAA and Pandemics: Finding a Balance
Many of us have, at some point, played the game of Telephone in our youth. The idea is simple; people gather in a circle, and someone whispers a simple phrase into the ear of the person next to them. The message is relayed throughout the group, and the last person to receive the message repeats, out loud, what they heard.
It is a humorous example of how a simple message can take on a life of its own and move away from the original intention.
The speed of the modern news cycle has a way of resembling a game of Telephone. The way that news breaks and speed at which it is shared leaves plenty of room for speculation, but how is this reconciled when that news seems to ignore the rights afforded to individuals under the law?
HIPAA and COVID
During the pandemic, there has been no shortage of headlines about Coronavirus. Specifically, we’re acutely aware of instances of high-profile individuals who have ended up contracting the virus. At this point, most of us could rattle off a couple of celebrities or athletes that we know of who have been reported as testing positive for COVID-19.
But why is this information known to the general public? Is spreading this information a violation of the rights of the individual?
In some cases, the individual in question or their publicity teams voluntarily share this information to spread awareness, but not always.
The Health Insurance Portability and Accountability Act (HIPAA) is a behemoth piece of legislation that, among other things, obligates businesses operating in the healthcare industry to protect the privacy and confidentiality of patients’ healthcare records.
So, the notion that the public would know about a COVID-19 diagnosis seems to conflict with the privacy ostensibly afforded to these individuals through healthcare legislation like HIPAA and HITECH.
Or does it?
Are COVID-19 Disclosures a Violation of HIPAA?
The pandemic has necessitated a host of changes to what we consider “normal” life. Professional sports, for example, have taken on a dramatically different look. Reporters, however, still have columns to populate and when the news of a prolific position player for the Dallas Cowboys coming down with COVID-19, headlines surged in sports media.
But within the initial report questions arise about how this information became public:
“Elliott later questioned on Twitter why his medical information was made public by referencing the Health Insurance Portability and Accountability Act.”
The story turned into a bit of a media wildfire, questions began to swirl about how the information could have been leaked. Ezekiel Elliott, the individual reported having contracted the virus, took to Twitter responding simply with, “HIPAA ??”.
Several replies to the thread discussed the grey area this announcement seemed to fall within, from Dr. Eugene Gu:
“This is important for everyone to know. HIPAA only involves covered entities like doctors and other healthcare providers, hospitals, medical billing clearinghouses, and health insurance plans. It doesn’t cover employers, sports agents, and others.”
A brief dive into the Twitter exchange reveals opinions from users with a wide array of backgrounds. Some attempted to argue that a “Covered Entity” disclosing the infection to a member of the media should, in fact, be a violation of the protected health information (PHI) protection under HIPAA.
So, while it appears that no HIPAA violation occurred in this instance, it’s an interesting backdrop to the discussion about how HIPAA and a COVID-style pandemic can find a balance.
The OCR and HIPAA Penalty Waivers Solution
In March of this year, the Office for Civil Rights (OCR) released a statement discussing enforcement discretion, and even waiving HIPAA violation penalties would be introduced. While this announcement did attract attention from national media outlets, there is room to misinterpret what is meant by ‘HIPAA-covered entities’.
An article on Atlantic.Net, one of the largest providers of HIPAA compliant hosting solutions for the US healthcare industry, warns against the interpretation from the OCR to mean that HIPAA regulations can be ignored during the Coronavirus pandemic:
“The OCR is only waiving specific HIPAA enforcement rules to allow greater flexibility when providing healthcare services directly to patients during these uncertain times. The OCR is not relaxing HIPAA regulation, and covered entities must at all times uphold the integrity of protected health information.”
Additional confusion likely stemmed from waivers introduced by the Center for Medicare and Medicaid Services, which absolve doctors from needing to seek patient approval to notify immediate family for those affected by COVID-19.
What Businesses Can Do To Protect Themselves
If there’s one thing to take away from this version of pandemic telephone, it is that confusing pieces of legislation, such as HIPAA, are not going away. Similarly, “leaked” reports of high-profile individuals contracting the virus might be a new part of the news cycle.
But stories issued by public relations teams are treated differently than PHI leaked from a vulnerable database or other type of breach-event. Despite the relaxing of certain penalties, pleading ignorance is not an acceptable defense in the eyes of regulators. Each year, companies found to be operating in non-compliance are issued fines and in some cases, these penalties can bankrupt the organization.
It is important for businesses in the healthcare industry to do everything they can to maintain HIPAA-compliance and protect sensitive patient information. But this doesn’t mean the only solution is staffing someone who understands every letter and nuance of HIPAA.
It can be as simple as partnering with vendors who have already done the research and offer HIPAA-compliant services. This adds a layer of protection in the event of a worst-case-scenario.
A self-audit can be another helpful tool in assessing compliance. An annual inspection of data storage techniques, network access procedures, password hygiene, and employee education can go a long way toward ensuring no unnecessary risks are taken with regard to HIPAA compliance.