David Holtzman, Executive Advisor for CynergisTek sits down to discuss how healthcare organizations can flatten the curve in the spike of cybersecurity incidents that we are seeing during the COVID-19 pandemic. He will discuss strategies to leverage training materials designed to increase the information security IQ for health care providers and administrative staff working from home or using their personal devices to access information networks. David will also explore why video conferencing and text messaging technologies that meet the requirements of the HIPAA Security Rule standards could provide healthcare organizations resilience in this exceptional time.
Links to stories:
View the HHS.Gov Visio-Emergency Preparedness Disclosures chart: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/emergencyprepdisclose.pdf
Read a contributing article from David Holtzman: Tips for Secure Remote Worksites, Telehealth Video, and Messaging https://bit.ly/3br5jlz
Read a recent article from David Holtzman about how OCR relaxed HIPAA Rules for COVID-19 testing sites: https://bit.ly/3eBZKmp.
Hey, David. Thanks for joining us today!
Well, thank you Lauren, it’s a pleasure to join you today and to discuss how HIPAA allows sharing PHI during the COVID-19 emergency. And one note, we are recording this on April 6th, 2020 and some of the requirements may have changed by the time you hear this podcast. So, be sure stay up to date with the changes that OCR maybe publishing as we go through the COVID-19 health emergency.
But first a word about CynergisTek. Healthcare leaders turn to CynergisTek as a trustworthy and reliable support and cyber security privacy compliance and information management expertise. Since 2004, CynergisTek has provided a holistic pragmatic approach to help healthcare organizations meet their cyber security and information management goals. The company has been recognized in numerous third-party research reports as one of the top firms that provider organizations turn to for cyber security and privacy and has won prestigious awards like KLAS Best in Class, and Best Cyber Security Firm and for Cyber Security Advisory Services.
So, it’s important to remember that here we are in the COVID-19 public health emergency and there’s been a lot of changes in a lot of modifications announced by CMS, HHS, and the Office for Civil Rights. The federal agency at the at the Department of Health and Human Services that’s responsible for administering and enforcing the HIPAA privacy security and breach notification rules.
But you know, it’s important to remember that this is not the first public health emergency that that our country has faced since HIPAA was enacted, I’m sorry the HIPAA Privacy Security and later the breach notification rules were enacted. And you know, the HIPAA rules were designed to be able to share information for treatment purposes generally and specifically to provide public health emergency the opportunity to share information in a public health emergency.
But what’s important to remember in this public health emergency that we’re currently facing for COVID-19 and in public health emergencies in general, is that most HIPAA standards are not relaxed or made discretionary during a period of health emergency.
So, it’s vital that covered entities and business associates have to implement and maintain reasonable safeguards to protect protected health information from unauthorized disclosures. PHI may only be used or disclosed in certain circumstances when needed for patient care or other important business and public health purposes.
In other words, the general provisions that only permit PHI to be disclosed for treatment payment and healthcare operations, those limitations on uses and disclosures remain in force for the most part and HIPAA covered entities and business associates must ensure that they’re safeguarding the confidentiality, integrity, and availability of patient information that they create and maintain or through an electronic device or an information system.
So, the HIPAA Privacy Rule specifically allows for covered entities and in some cases business associates to disclose protected health information without authorization. PHI may always be disclosed to the patient. PHI can be disclosed to other healthcare providers if necessary, to treat the patient or if it would help create a different patient. At OCR they called this the “Prime Directive”. The Privacy Rule shall not interfere with or interrupt the ability of a healthcare provider to treat their patient or to treat someone else’s patient.
So, the HIPAA Privacy Rule expressly permits disclosures to a public health authority and as defined by the Privacy Rule and that’s in one 164.512. You could always disclose PHI to infer to individuals who are at risk of contracting or spreading a disease or condition, when it’s authorized by law. So, for example tracing with its infected persons as we’ve seen many public health agencies attempting to track who has been exposed to COVID-19. Then a little bit later in this program we’re going to talk about a specific advisory provided by OCR about disclosures to law enforcement organizations and first responders.
In addition, the privacy rule has always allowed healthcare providers discretion to share protected health information with family, friends, and caregivers that are involved in caring for that patient.
The healthcare provider is to use their professional judgment when it’s appropriate and in the best interest of the patient to share information so that the family, friends, and caregivers can provide continuing care to when they are at home or out of the or outside of the traditional care facility. As well as to help the family, friend, or caregiver who’s in direct contact with the individual protect themselves from infection or from danger as a result of exposure to a communicable disease or transmittable virus like COVID-19. Also, PHI can be shared when there’s an imminent threat to public health in safety.
So, it’s important to remember that except for purposes of sharing information for treatment between health care providers all of these instances in which sharing PHI is permitted by the privacy rule. Is that the minimum necessary standard always is in place so that only the minimum amount necessary to be shared with others is disclosed. So, an example of this would be in the in the COVID-19 circumstance, you can absolutely share information with public health authorities, or with family, friends, and caregivers about the about whether an individual is been exposed to or is being treated for COVID-19. But that does not permit the healthcare provider or or a covered entity or business associate to share other information about past treatment about the individual. So, for example, if the individual is suffering from high blood pressure or the or the received family planning services in the past. That’s not something that you can share with the family members, caregivers, or others under the under the umbrella of the generalized permission to share information about treatment and transmission of COVID-19.
So, one of focus in recent on some recent guidance from The Office of Civil Rights, reminding folks that the that covered entities and business associates are permitted to share information related to COVID-19 with first responders and law enforcement when the disclosure is needed for a number of specific examples. For example, if the first responder or the law enforcement organization is an emergency medical provider or is in some other way providing treatment directly to the individual. In addition, in some cases notifications required is required by law, or when the first responders may be at risk of infection, or to lessen or reduce a serious or imminent threat.
So, OCR provided some examples in their in their guidance document which is available on the Sierras website at hhs.gov/hipaa and then click on the COVID-19 special box that up on OCR has website. So, OCR provides the following example, so a covered entity such as a hospital may provide a list of names and addresses of all individuals. It knows who have tested positive or received treatment for COVID-19 to an EMS dispatch service for use on an on-call basis. And the EMS dispatch service, even if it is a covered entity, or example it’s a dispatch service operated by a fire department or rescue squad that receives reimbursement for emergency medical services that it provides. So, the EMS dispatch service would be allowed to use the information on the list to inform EMS Personnel who are responding to any particular emergency call so that they take extra precautions or use personal protective equipment PPE in order to shield themselves, or to protect themselves from the virulence or transmission of the individual who is who’s receiving the health care service for COVID-19.
In addition, a 911 call center may ask screening questions of all callers. For example, asking their temperature, whether they have a cough, or difficulty breathing to identify potential cases of COVID-19. So, this is to the extent that the HIPAA call center maybe a HIPAA covered entity and the call center is then permitted to inform a police officer being dispatched to the scene or EMS personnel to the scene with the name, address, and screening results of the persons who may be encountered so that the law enforcement officer other first responder can take extra precautions or use PPE to lessen the first responders risk of exposure to COVID-19. Even if the subject of the dispatch is free non-medical situation.
So, for example, it’s common or police officers or other first responders to be dispatched to a scene which ordinarily would not represent a risk of transmission for COVID-19. But if the dispatch call center is screening calls so that they can forecast weather there is someone who is at risk of transmitting COVID-19 on the scene of the non COVID-19 related call. Like breaking up a bar fight, having a domestic disturbance, or even responding to a traffic accident in which one of the parties is injured. It’s important that first responders have for warning to know if one of the individuals on seeing could be infected or transmission have a risk of transmission of COVID-19.
So, another example of how OCR has provided guidance in is using its enforcement discretion for enduring this COVID-19 emergency. So, generally business associates of comfort and entities may not use or disclose PHI for their own purposes are transmitted to third parties without the express permission or consent of the covered entity to whom the data is owned or to whom they’re providing services to.
Well, recently OCR issued guidance, in that they’re going to use their enforcement discretion, so that business associates who provide good faith disclosures of PHI for public health and health oversight activities will not be at risk for the imposition of penalties for violations of the HIPAA Privacy Rule.
So, generally the so an example here would be in an EHR vendor like an epic or a server who maintains a cloud-based central record of electronic medical records across a number of healthcare providers. They may be contacted by a public health authority seeking information about individuals who may have been diagnosed for COVID-19 or who have been tested.
Ordinarily the the business associate like the EMR provider would only be permitted to provide those disclosures in scope of their vendor agreement. However, under OCR’s good-faith exception they are not going to apply the penalties for violations of the HIPAA rules in when these business associates who have information that’s being sought by CDC, CMS, or state and local Health departments who are seeking access to COVID-19 data.
However, it’s important to remember that under OCR’s good-faith exception the business associate is required to provide notice to the covered entities of the disclosures that they are making outside of the provisions of their PA agreement. Or another way to think about it, it’s disclosures that they’re making directly to to these public health authorities they have to notify the covered entity within 10 calendar days.
So, this really changes the dynamic of how covered entities work with their business associates and it really changes the it also imposes upon covered entities some issues that they should be considering as they look to how their business associates, who are collecting this data, whether they be EMR providers or HIE’s. The covered entities should be taking proactive steps to ensure that they have the appropriate information security safeguards to assemble and transmit the PHI that’s being sought directly from the BA by these government-affiliated public health agencies or organizations.
They should also be proactive in reaching out to a business who have large quantities of data or who are conducting data analytics of PHI that’s transmitted by the covered entity. To confirm that there’s a process in place for providing the covered entity notice of when there’s been a disclosure of PHI directly from the business associate to these Public Health entities. You want to make sure that your business associate, if they’re going to respond to these requests and to provide information, that there’s a process in place to notify you (the covered entity) when these disclosures have taken place. And ensure that that there’s a process in place for the timely and complete accounting of what PHI was disclosed, who received the data, and the purpose of the disclosure. It’s important to keep in mind that the covered entity still has an obligation to do disclosure accounting for disclosures that are made for these public health purposes.
Remember the oh the HIPAA privacy rules accounting for disclosures requirements does not exempt disclosures that are made to public health authorities. These are not disclosures that are exempt from the accounting for disclosures rule. So, it’s important to have that line of communication with your business associate, to ensure that you’re receiving appropriate information, so that you can fulfill your obligation to the firm accounting for disclosure.
So, on OCR’s website, they have a diagram first produced in 2008 for the H1N1 Virus public health emergency response, but it’s still valid today. This is a diagram of a schematic that helps that helps organizations understand when they may disclose PHI for public health emergency purposes, and it’s valid today just as it was valid before. The Privacy Rule has not changed. Although note, business associates can now use this seam schematic to understand when it may disclose PHI for public health purposes.
So, we also want to take this opportunity to to cover that OCR Previously issued enforcement discretion to allow Healthcare Providers to use commonly available messaging and video conferencing applications to provide treatment services to patients. So, using commonly available technologies like FaceTime, Google Hangouts Video, and WhatsApp Chat and Video services. These this discretion to use these commonly available technologies applies to any health care treatment encounter and is not limited to help telehealth services for Coronavirus assessment and testing. The idea is where the goal the HHS is trying to reach is to allow healthcare providers to continue providing healthcare services of all types through telehealth to to avoid face-to-face encounters and that will be effective in limiting the spread of the COVID-19 virus, while maintaining the availability of healthcare services. So, it’s important to remember that the that the use of these common technologies is to encourage or is limited to apps and programs that provide one-on-one communications and that OCR continues to bar the use of apps and messaging technologies that broadcast video to publicly like Facebook Live, Twitch, or Tick Tock and you should let patients know the risks of using unsecured technologies.
So, healthcare providers should continue to recommend that there are best practices that they should be using to safeguard electronic protected health information when providing telehealth services. They should use communication methods when using smartphone, video conferencing, or other technologies. That safeguard the confidentiality integrity and availability of data, which generally means that these technologies could tell you that they are secure and encrypted. Providers should attempt to have business associate agreements in place with technology vendors prior to providing PHI or patient care via video conference. That is still remains the best assurance to make sure that the appropriate safeguards are in place to protect the protected health information from unauthorized use of disclosure. And always try to choose telehealth vendors that can demonstrate that they have an effective risk-based information security programs in place.
So, I wanted to provide just a brief table to help folks as sort of a quick cheat sheet of what some of the privacy rule requirements and their changes that are in place during the COVID-19 public health emergency. Again, this these are the provisions that are in place as of the date of this recording April 6th, 2020.
So as always, we are available to you for any questions that may come up about how to use technologies to communicate with patients or the sharing that’s allowed under the privacy rule for treatment purposes. As well, as to share information with first responders, law enforcement, and patients and their families. So, feel free to reach out to us we’re here to help.
Remember we’re all in this together!
So, Lauren I’m ready for any questions or for you to wrap it up.
Thank you, David, for that information on HIPAA’s new PHI Rules. Quick follow-up question.
How long do you think the changes to the HIPAA Rules will last?
That’s a great question Lauren!
So, OCR is indicated that the enforcement discretion that they are using for both sharing of information directly from business associates to public health authorities and for the ability to use commonly available telecommunication services in video conferencing. Those are going to last at least until the end of the public health emergency. But OCR will be sharing information about any changes through the channels that that they normally use. They have a listserv, they also posted on their website, and it’s been widely covered in the healthcare industry media.
Great David, thank you very much! And just a reminder to our listeners, David you might have to remind me more information on this topic can be found at the CynergisTek website www.cynergistek.com. As well, as the OCR website and if David you could just remind us where to find this information and that would be great
Absolutely. So, the OCR website is at hhs.gov/hipaa and remember HIPAA is spelled with one p in two a’s and they have a special page for their COVID-19 guidance and materials. You’ll see it brightly displayed at the top of OCR’s HIPAA page. And also, there’s a tremendous amount of guidance and FAQ’s for how the privacy rule allows for sharing in a public health emergency. Just go to the HIPAA page, click on professionals, and you’ll see the topics on the left-hand side of the page.
All right, thank you and with that David, thank you for being here today and thank you to our listeners for listening!