Skip to content
Home » HIPAA Compliance COVID 19 Checklist

HIPAA Compliance COVID 19 Checklist

Interim Modifications in HIPAA Compliance Checklists During the COVID-19 Pandemic

Healthcare institutions are dealing with a national public health catastrophe that has never been witnessed before. The COVID-19-causing Novel Coronavirus (SARS-CoV-2) is forcing healthcare firms to improve their normal operating methodologies and process flows, reconfigure healthcare facilities to properly separate patients, open private labs outside of their usual centers, collaborate with a slew of new providers and distributors, and rapidly expand telehealth and remote care services.

Health plans,  healthcare clearinghouses, medical providers,  and business partners and their subcontractors must still adhere with the HIPAA Privacy, Security, Breach Notification, and Omnibus Rules even during public health emergencies like the COVID-19 pandemic.

The HIPAA Rules protect healthcare activities during crises such as natural catastrophes and disease pandemics; nevertheless, the present COVID-19 countrywide public health crisis has necessitated the temporary implementation of extraordinary HIPAA compliance flexibilities.

The Office for Civil Rights at the Department of Health and Human Services understands that HIPAA compliance is even more challenging in these trying times. OCR has asserted that punishments and sanctions for noncompliance with several clauses of HIPAA Regulations will not be levied on healthcare professionals and their business associates for fair and reasonable provision of healthcare services during the COVID-19 public health emergency, in order to make sure that the flow of vital patient data is not hampered by HIPAA regulations and to aid healthcare professionals achieve high-quality care.

Enforcement Discretion Notice Regarding Telehealth Remote Communications

Healthcare providers have extended their telehealth and online care capabilities as health care facilities have constrained capacity and social distance and self-isolation mechanisms in place. The Centers for Medicare and Medicaid Services (CMS) has also extended telehealth possibilities to all Medicare and Medicaid participants for a limited time.

For the period of the COVID-19 public health crisis, OCR has issued a Notice of Enforcement Discretion addressing telehealth remote conversations to assist healthcare practitioners.

Although some of the platforms used to provide these services may not be entirely compliant with HIPAA Rules, the Office of Civil Rights (OCR) will not impose penalties for their usage during the COVID-19 public health crisis.

OCR explained, “Any non-public facing remote communication product that is available to communicate with patients can be used by a covered health care provider who wants to use audiovisual telecommunications to provide telecare to patients during the COVID-19 country wide public health crisis,”. Zoom, Google Hangouts video, Facebook Messenger Chat, and FaceTime are examples of such services; nevertheless, HIPAA-compliant platforms should be utilized wherever feasible.

Public-facing chat and video services like Facebook Live and TikTok are exempt from the Notice of Enforcement Discretion.

Enforcement Discretion Notice Regarding the Uses and Divulgence of PHI by Business Associates for Public Health and Health Oversight Activities

The HIPAA Privacy Rule only allows Business Associates of HIPAA Covered Entities to utilize and reveal PHI for general wellbeing and wellbeing oversight exercises assuming it is explicitly expressed that they can do as such in their Business Associate Agreement with a HIPAA Covered Entity.

On April 2, 2020, the Office of Civil Rights (OCR) gave a Notice of Enforcement Discretion, expressing that no consents or punishments will be imposed on Business Associates for genuine trust disclosures of PHI for general health purposes to any semblance of the Centers for Disease Control and Prevention (CDC), CMS, state and neighborhood health offices, and state crisis task forces, who require access to COVID-19 related information, including PHI. In all cases, any utilization or divulgence should be accounted for to the Covered Entity in the span of 10 days of the utilization or exposure happening.

The base important standard applies and exposures of PHI must be limited to the base fundamental add up to accomplish the target for which the data is revealed. The Security Rule is additionally active, so defends should be carried out to guarantee the privacy, honesty, and accessibility of all PHI sent corresponding to general wellbeing and wellbeing oversight exercises.

Enforcement Discretion Notice for Community-Based Testing Sites

OCR will exercise enforcement discretion and will not enforce fines or penalties on Covered Entities or Business Associates for their good conscience involvement in the operation of COVID-19 testing sites including mobile locations, walk-up, and drive-through. The Notice of Enforcement Discretion is effective to March 13, 2020, and it will be in effect for the length of the COVID-19 public health crisis. The Notice of Enforcement Discretion includes all operations in testing facilities that support specimen gathering and individual COVID-19 testing.

To preserve patient confidentiality and the security of any PHI utilized or acquired at these locations, reasonable protections must be adopted. The Notice doesn’t have any significant bearing to wellbeing plans or medical care clearinghouses when they are performing well being plan and clearinghouse capacities, nor to medical services suppliers or business relates that are not performing COVID-19 Community-Based Testing Site exercises, regardless of whether those exercises are performed at the testing locales.

Enforcement Discretion Notice Regarding Web-Based Scheduling Applications for Scheduling of COVID-19 Vaccination Appointments

On January 19, 2021, the Office of Civil Rights (OCR) announced that it will practice implementation attentiveness and won’t force punishments or authorizations on HIPAA covered substances or their business partners for infringement of the HIPAA Rules regarding the great confidence utilization of on the web or electronic planning applications (WBSAs) for booking COVID-19 immunization arrangements.

When an entity fails to operate in good faith, the enforcement discretion does not apply. Instances of dishonesty utilization of WBSAs incorporate, however are not restricted to, the utilization of a WBSA when the terms of administration forbid the utilization of the WBSA for booking medical care administrations; on the off chance that the arrangement doesn’t consolidate sensible security shields to forestall unapproved admittance to ePHI; utilization of WBSAs to lead benefits other than planning arrangements for COVID-19 immunizations; utilization of a WBSA for evaluating people for COVID-19 before an in-person medical services visit.

While HIPAA punishments won’t be forced, OCR empowers HIPAA-covered substances and business partners to guarantee that sensible protections are carried out to guarantee the protection and security of medical care information, for example, the utilization of encryption, restricting information input into the frameworks to the base fundamental data, and initiating all suitable protection settings.

OCR will practice implementation carefulness right away and will be retroactive to December 11, 2020.

Sharing COVID-19 patient information with first responders

Under some circumstances, OCR has verified that HIPAA Rules allow the sharing of PHI with first responders such as law enforcement, public safety institutions, paramedics and others without first obtaining a HIPAA consent from a patient.

The HIPAA Privacy Rule, according to the Office of Civil Rights, allows disclosures of Protected Health Information for the purposes of treatment (e.g., from a care facility to medical transport employees), when legally required (e.g., to cooperate with province infectious disease reporting standards), and to avert illness, physical harm, or impairment. This comprises disclosure of information for public health surveillance and to public health officials to aid in disease prevention and control.

PHI can also be shared with first responders who may be at risk of infection in order to help avoid or mitigate a significant and substantial harm to a person’s or the public’s health and safety. OCR made sense of that it is allowable to “unveil PHI about people who have tried positive for COVID-19 to local group of fire-fighters staff, youngster government assistance workers, emotional wellness emergency administrations workforce, or others accused of safeguarding the wellbeing or security of the general population assuming the shrouded element puts stock sincerely that the revelation of the data is important to forestall or limit the danger of unavoidable openness to such faculty in the release of their obligations.”

HIPAA additionally allows divulgences of PHI while answering a solicitation for PHI by a restorative establishment or policing, that has legitimate authority of a detainee or other person. The divulgences are allowed when PHI is expected to give medical services to a person, to guarantee the wellbeing and wellbeing of staff and different prisoners, to policing the premises, and to assist with keeping up with wellbeing, security, and great request in a remedial foundation.

The base fundamental standard applies in all cases and exposures of PHI ought to be limited to the base vital sum to accomplish the goal for which the data is revealed.