OCR Guidance on COVID-19 and HIPAA Disclosures

Office for Civil Rights Guidance on COVID-19 and HIPAA disclosures to law enforcement, paramedics, other first responders, and public health authorities
 by Kathy Lester, J.D., M.P.H.

 On March 24, the Office for Civil Rights (OCR) released guidance clarifying that any covered entity may share the name or other identifying information of an individual who has been infected with, or exposed to, COVID-19 with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization.  This clarification allows ground ambulance entities and their personnel to share the information consistent with the guidance.  It also allows other covered entities such as hospitals, physicians to share the information with ground ambulance entities and their personnel.  Finally, there are no HIPAA restrictions on non-covered entities, such as law enforcement, families, public health departments, and 911 call centers (not otherwise covered entities), from sharing the information.  There may be State confidentiality laws that apply as well, and the AAA encourages ground ambulance entities to review the laws in the States in which they operate.

The authority to share this information is in the existing HIPAA regulation – this is not a waiver or a change in the current law.  OCR highlights the current authority in the guidance.

  • Disclosure of PHI pursuant to treatment (45 C.F.R. § 164.506(c)(2)). Covered entities may disclose PHI to another covered entity for purposes of treatment, payment, or health care operations.  The guidance provides the example of a skilled nursing facility (SNF) disclosing PHI about a COVID-19 positive individual to emergency transport personnel who will be treating a patient during the transport of the individual to a hospital emergency department.  This is an example and not the only scenario to which the disclosure policy applies.
  • Disclosures required by law (45 C.F.R. § 164.512(a)). Covered entities may disclose PHI when such disclosure is required by law.  The guidance provides the example of a hospital disclosing PHI about a COVID-19 positive individual to public health officials when such a disclosure is required by state law.  Again, this is an example and not the only scenario to which the disclosure policy applies.
  • Disclosure to public health authorities (45 C.F.R. §§ 164.512(b)(1) & 164.501 (definition of public health authority). Covered entities may disclose PHI about a COVID-19 positive individual to a public health authority that is authorized by law to collect or receive such information for the purpose of controlling disease, injury, or disability.  The purposes include public health surveillance, public health investigations, and public health interventions.  Examples of public health authorities include the Centers for Disease Control and Prevention and state, tribal, local, and territorial public health departments).
  • Disclosures when risk of infection to a person (45 C.F.R. § 512(b)(1)(iv)).  Covered entities or public health authority may disclose to a person – including first responders – who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.  The guidance provides the example of a county health department disclosing such information to a police office to prevent or control the spread of COVID-19.  This authority would also apply to ground ambulance personnel, even though the example does not reference them specifically.
  • Disclosures to prevent or lessen a serious and imminent threat to the health and safety of a person or the public (45 C.F.R. § 164.512(j)(1)). Covered entities may disclose PHI to a person or the public to prevent or lessen a serious and imminent threat to the health and safety of a person or the public when the disclosure is made to someone the person making the disclosure believes that doing so will prevent or lessen the threat.  The guidance provides an example of disclosing COVID-19 status to firefighters, child welfare workers, mental health crisis personnel, or others – which would include ground ambulance personnel as well.  The covered entity must believe in good faith that the disclosure is necessary to prevent or minimize the threat of imminent disclosure to the person or public.
  • Disclosure to a correctional institution or law enforcement having lawful custody of an inmate or other individual under certain circumstances (45 C.F.R. § 164.512(k)(5)). Covered entities may disclose PHI related to an inmate’s positive COVID-19 status under the following circumstances:
  • Providing health care to the individual;
  • The health and safety of the individual, other inmates, officers, employees, and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
  • Law enforcement on the premises of the correctional institution; or
  • The administration and maintenance of the safety, security, and good order of the correctional institution.

The guidance provides the example of a physician at a medical facility sharing an inmate’s positive COVID-19 status with correctional guards.

For all of these disclosures, with the exception of those that are required by law or for the purpose of treatment, the covered entity must provide the minimum amount of information necessary to accomplish the purpose.  For example, the guidance states that a hospital should not distribute a list of individuals who are COVID-19 positive or suspected to have the virus to EMS personnel, but rather disclose the information on a case-by-case basis about the specific patient being treated.  Similarly, a 911 call center that is a covered entity may provide such information to a police office or similar personnel being dispatched to the scene to allow the responder to take the necessary precautions.

The guidance also provides additional examples that reference specific types of covered entities, but these are just examples.  The laws apply to all covered entities and not just those highlighted in the examples.

HHS OCR Requests Feedback on HIPAA Privacy Rule

On January 28, 2019, the Office of Health and Human Services the Office for Civil Rights (HHS OCR) issues a Request for Information (RFI) seeking input from covered entities regarding several aspects of the Health Insurance Portability and Accountability Act (HIPAA).  Specifically, the HHS OCR is seeking input regarding several elements of the Privacy Rule, including the following:

  • Encouraging information-sharing for treatment and care coordination
  • Facilitating parental involvement in care
  • Addressing the opioid crisis and serious mental illness
  • Accounting for disclosures of PHI for treatment, payment, and health care operations as required by the HITECH Act
  • Changing the current requirement for certain providers to make a good faith effort to obtain an acknowledgment of receipt of the Notice of Privacy Practices

I am aware that several AAA member services who have struggled with many of the HIPAA restrictions regarding the sharing of PHI with other healthcare entities.  In particular, with regard to individuals who suffer opioid overdoses and efforts to ensure the individual has access to drug treatment programs.  Additionally, HHS OCR is seeking input from covered healthcare providers regarding the “good faith” efforts to obtain acknowledgement of the receipt of Privacy Practices.  This has been a considerable challenge for EMS given the nature of our healthcare delivery model.  The relaxing of this regulatory requirement would substantially reduce the burden on EMS agencies.

The AAA recommends that our members review the HHS OCR Request for Information and submit comments by the February 12, 2019 deadline.  If members have any questions or need assistance in submitting their comments, the AAA is here to help.

HIPAA Breach Results in Highest Settlement in OCR History

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced earlier this month that is has entered into the largest settlement agreement in the history of the Department with Anthem, Inc., the largest Blue Cross and Blue Shield health benefit companies in the country.  Anthem, Inc. agreed to pay $16 million to HHS and take substantial corrective action to settle numerous potential violations of both HIPAA Privacy and Security Rules after it exposed protected health information (PHI) for nearly 79 million people.

In March 2015 Anthem filed a breach report with OCR after they discovered that their Information Technology (IT) systems were infiltrated by cyber-attackers who had gained access to their systems after an Anthem employee opened a phishing email.  This email released an undetected continuous persistent threat attack that permitted the cyber-attackers to access their systems from December 2014 through the end of January 2015.  This attack opened access that ultimately resulted in the PHI of nearly 79 million people to be stolen.

OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis.  Additionally, OCR determined that Anthem “failed to have sufficient policies and procedures to regularly review IT system activity, identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent impermissible access to electronic PHI.”

As part of the settlement, Anthem must comply with a Corrective Action Plan (CAP) for a period or two years.  As part of that CAP, Anthem must conduct an “accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Anthem.” This risk assessment must be submitted to OCR for review and approval.  The CAP includes the review, revision, and distribution of all written policies and procedures addressing Information System Activity Review and Access Control for systems containing ePHI.  The CAP requires regular and ongoing reporting to OCR for actions taken under the Plan and for any reportable events.

The day following the Anthem, Inc. settlement press release, OCR and the Office of the National Coordinator for Health Information Technology (ONC) announced that they have strengthened the Security Risk Assessment (SRA) Tool to improve functionality.  The SRA is designed for use by small to medium sized health care providers to help them identify risks and vulnerabilities to ePHI within their practices.  All HIPAA covered entities and business associations are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their organizations.

Ambulance services should conduct a comprehensive Risk Analysis of their systems.  This Risk Analysis should include all provisions and requirements under HIPAA.  While this settlement highlights the significant risks associated with ePHI and IT systems, there remains significant risks to PHI in non-electronic forms as well.  This settlement is a great illustration of how apathy or reduced focus can result in potentially devastating results.

Contact the American Ambulance Association (AAA) with questions or assistance regarding any HIPAA related or other ambulance service compliance issue.

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

HHS Office of Civil Rights Announces Phase 2 HIPAA Audit Review Program

On March 21, 2016, the Office for Civil Rights of the Department of Health and Human Services announced Phase 2 of its HIPAA Audit Program.  The Health Information Technology for Economic and Clinical Health Act (HITECH) required HHS to perform periodic audits of covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules.  These rules are enforced by the HHS Office for Civil Rights (OCR).

Background on Phase 1

In 2011, OCR implemented a pilot audit program to assess the controls and processes covered entities have adopted to meet their HIPAA obligations.  The pilot audit program was conducted in three phases.  OCR first developed a set of audit protocols that it would use to evaluate covered entities’ compliance.  This protocol was then tested using a limited number of audits.   The final step involved using the revised audit protocols on a larger number of covered entities.  Ultimately, 115 covered entities were selected for review, and all audits were concluded by December 31, 2012.

Phase 2

Phase 2 of the HIPAA Audit Program will focus on the policies and procedures adopted and employed by entities to meet the requirements of the Privacy, Security, and Breach Notification Rules.  OCR has indicated that these audits will be conducted primary through desk audits (i.e., document submissions), although by a limited number of on-site audits will also be conducted.

Unlike Phase 1, which focused exclusively on covered entities, OCR is indicating that Phase 2 will involve audits of both covered entities and their business associates.

As with the initial pilot audit program, Phase 2 will consist of several stages.  The first stage involves verification of a covered entity’s or business associate’s address and contact information.  A sample address verification letter can be viewed by clicking here.  OCR has indicated that emails will be sent to entities requesting accurate contact information for the entity.  OCR will then transmit a “pre-audit questionnaire” to the entity.  These questionnaires will be used to gather data about the size, type, and operations of potential auditees.  Based on this data, OCR will create potential audit subject pools.

Note: OCR has indicated that if an entity fails to respond to OCR’s request to validate its contact information and/or fails to return the pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool.  As a result, an entity that fails to respond may still be selected for audit and/or compliance review.  OCR is specifically reminding entities to check their email “junk” or “spam” folders for any communications from OCR.

Once OCR has developed its audit subject pools, it will randomly select auditees from these pools.  Auditees will then be notified by OCR of their participation.  OCR has indicated that the first set of audits will focus on covered entities, with a subsequent round of audits focused on business associates.  These audits will focus on compliance with specific requirements of the Privacy, Security, or Breach Notification Rules.  Auditees will be notified of the scope of their audit in a document request letter.  Both of these rounds will be desk audits.  OCR indicated that all desk audits will be completed by the end of December 2016.

A third round of on-site audits will take place after the completion of the desk audits, and will examine a broader scope of requirements under HIPAA.  OCR further indicated that desk auditees may also be subject to on-site audits.

If an entity is selected for audit, OCR will notify them by email.  The email will introduce the OCR audit team, explain the audit process, and discuss OCR’s expectations in greater detail.  The email notification letter will also include initial requests for documentation.  OCR has indicated that it will expect entities to respond to these documentation requests within ten (10) business days.  Documents will be submitted through a new secure online portal.  Once received, OCR’s auditors will review the submitted information and inform the entity of its draft findings.  The entity will then have ten (10) business days to respond with written comments, if any.  OCR will then review the entity’s comments and issue a final audit report within thirty (30) business days.

OCR has indicated that the audits are primarily intended as a compliance improvement activity.  OCR will use aggregated data to better understand compliance with respect to particular aspects of the HIPAA rules.  The goal being to understand what types of technical assistance and/or corrective actions would be most helpful.  In other words, OCR is indicating that the goal of these audits is to improve its understanding of the state of compliance, and not to penalize specific companies for violations.  However, OCR indicated that should an audit reveal a serious compliance issue, OCR may initiate a further compliance review of the company.

OCR indicated that it will not post a list of the audited entities, nor will its findings be available in a format that would clearly identify the audited entity.  However, OCR noted that audit notification letters and other information regarding these audits may be discoverable under the Freedom of Information Act (FOIA).

Additional information from OCR regarding the Phase 2 HIPAA Audit Program can be obtained by clicking here.