By Dr. Phyllis Miller, Ph.D., RHIA, RHIT, CHPS, Lean Six Sigma Green Belt, AHIMA ICD-10-CM/PCS Trainer
As August 21, 2020 marks the 24th anniversary of Bill Clinton’s HIPAA Law, it is not a bad time to reflect on the how the law has been doing. As with any big changes in healthcare, whether the advent of electronic health systems (EHRs) in the past decade or a pandemic like COVID-19, nothing stays the same. All laws, rules and regulation occasionally need some breathing room and this also applies to HIPAA. Here is an update on HIPPA changes and some examples of what not to do.
The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is responsible for enforcing various rules and regulations issued under HIPAA which was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act to protect the privacy and security of protected health information.
New Telecommunication Rules
During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, health care providers covered by HIPAA can now communicate with patients and provide telehealth services through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA’s coverage of health care providers, may now not fully comply with the requirements of the HIPAA Rules.
As an example, a covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can do so. However, this does not mean or imply that the HIPPA rules are not offering the same basic laws of protecting patient’s confidential medical information which they were designed to do. It simply makes the jobs of providers a bit easier while delivering the same level of service to patients suffering from COVID-19.
OCR will also no longer impose penalties against providers and their business associates for violations of certain provisions of the HIPAA Privacy Rule. This change covers good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 pandemic. It is designed to support federal public health authorities and health oversight agencies (such as the CDC and CMS), state and local health departments, and state emergency operations centers who need access to COVID-19 related data from business associates. These partners can now share this data without risk of a HIPAA penalty.
The OCR also issued guidance designed to help first responders and others to receive protected health information (“PHI”) regarding patients infected with or exposed to COVID-19. The guidance clarifies the regulatory provisions that covered entities may use to disclose minimum necessary PHI, such as name or other identifying information, to law enforcement, paramedics, and other first responders so that they can take extra precautions or use personal protective equipment.
These situations include necessity to provide treatment, when required by law, to notify a public health authority when responders may be at risk of infection, and to avoid or prevent a serious, imminent threat to health and safety. For example, a hospital can disclose a list of patients who have tested positive for COVID-19 to a 911 call center who can screen the list when responding to emergency calls to ensure that the responders take the necessary precautions. However, OCR advises that such a list could not be posted publicly.
Community Based-Testing Sites
The OCR will no longer impose penalties for violations of the HIPAA Rules against entities or business associates in connection with the operation of COVID-19 Community Based-Testing Site (“CBTS”) during the pandemic. This notification supports HIPAA covered health care providers that may choose to participate in the operation of a CBTS, such as mobile, drive-through, or walk-up sites. However, the OCR requests covered health care providers participating in the good faith operation of a CBTS to implement reasonable safeguards to protect the privacy and security of individuals’ PHI.
For example, OCR recommends that CBTS set up canopies or similar barriers to provide some privacy to individuals during the collection process. They also request the control of foot and car traffic to create adequate distancing (e.g., 6 feet) to minimize the ability of persons to see or overhear screening interactions. However, the OCR will not impose penalties for violations of the HIPAA Rules that occur in connection with the good faith operation of a CBTS.
What Can You Say About COVID-19 Patients
While patient’s privacy during COVID-19 is still firmly protected, the grey area is still what hospitals say about COVID-19 patients. While some are actively communicating and being transparent, others are declining to publicly disclose if one of their patients has COVID-19 to minimize liability. Penalties range from $100 to $50,000 for each HIPAA violation, up to $1.5 million a year.
More than 43% of 110 hospital and health system executives said the U.S. healthcare system wasn’t prepared to handle COVID-19, according to a new survey from Advis. Less than 40% said it was and the rest “didn’t know.” But keep in mind that HIPPA laws also protect hospital employees from leaking information about patients and even other employees who may be infected with the virus.
But the biggest risk is if the government subsequently investigates and exposes other issues. This has been the case at Rehoboth McKinley Christian Health Care Services (RMHCS), a rural hospital located in Gallup, New Mexico whose staff recently used COVID-19 to lead a coup against award-winning hospital CEO David Conejo. The hospital board power grab was led by Board Chair Laura Hammons, McKinley County Manager Anthony Dimas and Robert Zollinger, publisher of a local newspaper seeking vengeance over the hospital’s lack of advertising in his paper.
Zollinger and Hammonds created such a media circus over COVID-19 hysteria that the federal government’s Centers for Medicare and Medicaid Services (CMS) decided to investigate Zollinger’s many negative articles, including a suspicious COVID-19 death. However, the CMS investigation did reveal that RMCHCS violated many requirements to review, investigate and resolve patient grievances within 10 days, ranging from medical issues to nurse rudeness and excessively high hospital bills. One patient was actually supposed to be transferred to her home but wound up in a long term care facility! CMS notes patients have the right to receive care in a safe setting, but RMCH did not meet these standards.
COVID-19 Death Uncovered
These violations potentially led to a critically ill patient’s death from a poorly functioning ventilator with RMCH staff implementing incorrect adjustments to the patient’s breathing tube. The tube slipped out the patient’s windpipe rendering it unable to pump oxygen into the patient’s lungs, among other findings such as nurses unable to locate doctors and failure to have an x-ray technician available.
This issue was brought to the attention of CMS by a May 8, 2020 Search Light New Mexico article that reported on RMCHCS medical inefficiencies. The story violated the patient’s rights under HIPAA laws, but so did the hospital by providing enough details in the death that hospital staff figured out who the patient was. The hospital staff also leaked information about William Camorata, an employee who had COVID-19 as retaliation over his support of the hospital CEO.
Both cases are now being reviewed by attorneys who plan to file suit against RMCHCS. This is a classic example of knowing what and what not to say to the media and even other employees while complying with HIPAA rules.
Sport Team Media Leaks
Recently two high-profile sports team members have questioned how the media gained information about their COVID-19 test results and raised questions about a potential HIPAA violation.
Only HIPAA-covered entities, including hospitals, medical providers, labs, etc. can breach HIPAA. If a non-covered entity shares medical information with the media, it is not a HIPAA violation? On June 15, Ian Rapoport, an NFL reporter, posted on Twitter that Dallas Cowboys running back Ezekiel Elliott tested positive for COVID-19. Mr. Elliott responded by tweeting: “HIPAA??”
Sports blogging network SB Nation reported that the source of Mr. Rapoport’s information is undisclosed, but Mr. Elliott’s agent confirmed the diagnosis after being contacted about it.
St. Martinsville, Louisiana Mayor Melinda Mitchell had a similar experience. On June 15, a local newspaper reported that she tested positive for COVID-19 and KLFY, a CBS affiliate, reported that her lawyers are looking into whether HIPAA laws were violated as a result. The mayor’s office claimed it did not leak the information, and her lawyers said they would take “appropriate action” if HIPAA was violated.