{ Banner Image }

HIPAA Compliance Considerations During the Pandemic

HIPAA Compliance COVIDAs health care providers continue to face new challenges relating to the COVID-19 pandemic, it is important for providers to maintain compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Although the Department of Health and Human Services Office for Civil Rights (“OCR”) has loosened some requirements to allow health care providers flexibility during the COVID-19 pandemic, a majority of the patient protections under the HIPAA Privacy Rule have remained intact.

In March of 2020, OCR notified providers that it is exercising its enforcement discretion not to impose penalties for noncompliance with HIPAA in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. For example, the guidance permits providers to use popular applications for video conferencing, such as Zoom, FaceTime, Google Hangouts and Facebook messenger.

Providers are still encouraged to use video communication vendors who have stronger security capabilities to prevent data interception and to enter into a business associate agreement with video communication vendors to assure they will protect electronic health information. Additionally, providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

OCR has also provided updated guidance on two specific areas of HIPAA compliance: media coverage of COVID-19 patients and contacting former COVID-19 patients with information on donating plasma. OCR stated that the COVID-19 public health emergency does not impact the protections that prohibit patients’ information from being given to the media. If a patient’s protected health information were to be accessible to the media (for example, through a film crew) the provider would need to obtain a written HIPAA authorization from all applicable patients. The OCR determined that even the patient’s presence in an area of a facility dedicated to treatment of COVID-19 is protected because it reveals information about the patient’s diagnosis. If the provider obtains valid, written HIPAA authorizations from every patient in the area and every patient whose protected health information is accessible, then the media could film areas where COVID-19 patients are being treated.

Recently, OCR has provided insight as to whether a health care provider may use protected health information to contact a patient who has recovered from COVID-19. The guidance indicates that a provider may contact a patient to provide them with information on donating their plasma that contains antibodies to SARS-CoV-2, which are used for treating patients with COVID-19. HIPAA generally prohibits the disclosure of protected health information for marketing purposes without the patient’s authorization. However, the OCR does not consider contacting patients to provide information about donating plasma to be marketing. The OCR guidance further notes that while the health care provider, or one of its business associates, could contact patients for this purpose, the health care provider could not provide the information to a third party or allow a third party to contact patients with information about donating plasma.

Members of the Foster Swift health care practice group continue to monitor updates to HIPAA and relevant health care regulations to help providers navigate their responsibilities during the COVID-19 pandemic. Additionally, Foster Swift has its own legal cybersecurity hotline to assist a business or organization that has experienced a data breach or other cybersecurity incident. If you have any questions regarding how HIPAA applies to your organization, please contact one of the authors of this article.

While the information in this article is accurate at time of publication, the laws and regulations surrounding COVID-19 are constantly evolving. Please consult your attorney or advisor to make sure you have the most up to date information before taking action.

Categories: Compliance, Cybersecurity, Electronic Health Records, HIPAA


Type the following characters: niner, hotel, foxtrot, romeo, november

* Indicates a required field.