Those of you providing services to patients are probably knee-deep in understanding HIPAA as it applies to extraordinary circumstances such as a pandemic like COVID-19 which is currently sweeping the world. But, we also work with a lot of Business Associates, especially software developers, that may not be aware of the ins and outs in times such as these. This post is for those who are wondering how their compliance requirements may or may not have changed in the past couple of months.
First, a bit of “housekeeping” …
What is a Business Associate?
A “Business Associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of or provides services to, a covered entity. (HHS.gov) This does not include an employee of the covered entity, but it can include all sorts of business partners such as software vendors that handle PHI (protected health information), cloud providers (like Connectria), document management and disposal companies, etc.
What About Employers?
HIPAA isn’t designed to cover traditional employer/employee transactions, e.g., approving requests for medical leave or enrolling in healthcare coverage. However, there are situations in which employers may cross the line into the “Covered Entity” territory. For example, let’s say you’re in manufacturing and you have an onsite nurse. If that nurse shares PHI with another healthcare provider, you probably* need to comply.
* You should always consult qualified legal experts when it comes to matters of compliance. That said, many of our industrial customers have elected to maintain compliance, whether they are bound by law or not, simply because it’s the right thing to do for their employees.
HHS Issues Guidance in February 2020
In the event of a pandemic, or any other crisis that affects the public health, the goal is to not be an obstacle to sharing information that could improve treatment or stem the tide of the disease, while at the same time protecting the privacy of the individuals involved.
The HIPAA Privacy Rule contains provisions that require the patient’s permission to speak with anyone, including family members and other providers, about their condition and treatment. Back in February, when things were just starting to heat up, HHS issued a bulletin on HIPAA Privacy and the Novel Coronavirus to communicate and clarify that rule in light of the threat. Their concern was clearly the spread of contagion by people traveling from China. But at the very least, this bulletin set the stage.
First and foremost, the bulletin confirms the Covered Entity’s ability to share information as necessary to treat the patient or to treat a different patient, without the patient’s consent. Note that this treatment provision applies only to sharing the information with other Covered Entities. (No alerting the media!)
The next clause confirms the covered entity’s ability to alert public health authorities such as the CDC or state and local public health agencies. They could also alert foreign agencies if needed as well as people at risk of contracting or spreading the disease. Note that there is no requirement to share the information with others who are likely to be infected. Even with other public health threats such as HIV and Hepatitis, there is no federal law that requires at-risk persons to be notified. (Though some states and cities do require it.)
Following up on the ability to notify, HHS also included a section that covered the ability to share information necessary to locate at-risk individuals, including but not limited to private organizations such as the Red Cross. Interestingly, the bulletin states that the disclosing entity should get verbal permission from patients whenever possible, but you don’t need to be a lawyer to know that there’s a big difference between “should” and “shall.”
There are a few more clauses in the bulletin which make for interesting reading, but I think you get the gist. The big question for those developing applications is “How does this apply to Business Associates?” Here’s what the bulletin has to say:
A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.
So, you can share the information as outlined above, but ONLY if your signed Business Associate agreement authorizes you to do so. It’s important to make sure that your employees understand this limitation, as they may field requests from “intrepid reporters” and others looking for the inside scoop. Or, the requests may be legitimate, but if not allowed by your agreement, any such sharing can still be unlawful.
HHS Issues a LIMITED Waiver in March
On March 15, when it became clear that the virus couldn’t care less about our borders, HHS issued a Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency. For Business Associates, the keyword is “limited.” If you read the details, you’ll see that it’s largely only applicable to providers themselves. For instance, those of you who are storing PHI or managing applications that handle the data is not exempt from HIPAA violations during the crisis.
But, it’s even more limited than that. The purpose of the waiver was to increase a hospital’s ability to share information and is limited:
- In the emergency area identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol
- for up to 72 hours from the time the hospital implements its disaster protocol
When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
Specifically, this waiver waives the requirement to comply with the following provisions of the HIPAA Privacy Rule:
- the requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt-out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
Additional Waiver on Telehealth
On March 17, to allow providers to prescreen more patients and limit exposure, HHS issued an additional waiver for the “good faith” use of telehealth services, which might not normally be in full compliance with HIPAA.
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.
So, for example, if a provider wanted to leverage a video conferencing service to consult with patients who are self-quarantining, they wouldn’t necessarily have to take the time to vet the service for HIPAA compliance, get a signed Business Associate agreement, etc. The caveat to this is that the service cannot be provided on a public-facing platform such as Facebook.
For More Information
I hope this helps those of you who may not deal with HIPAA concerns every day but are wondering how the latest guidance and waivers apply to your organization. Connectria offers HIPAA compliant private hosting environments as well as HIPAA compliant managed services for AWS and Azure. Our in-house experts are available to assist our customers with their annual audits. If you’d like to talk with me about your compliance efforts and any specific concerns, feel free to reach out to me directly.