Office for Civil Rights Guidance on COVID-19 and HIPAA disclosures to law enforcement, paramedics, other first responders, and public health authorities
by Kathy Lester, J.D., M.P.H.
On March 24, the Office for Civil Rights (OCR) released guidance clarifying that any covered entity may share the name or other identifying information of an individual who has been infected with, or exposed to, COVID-19 with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization. This clarification allows ground ambulance entities and their personnel to share the information consistent with the guidance. It also allows other covered entities such as hospitals, physicians to share the information with ground ambulance entities and their personnel. Finally, there are no HIPAA restrictions on non-covered entities, such as law enforcement, families, public health departments, and 911 call centers (not otherwise covered entities), from sharing the information. There may be State confidentiality laws that apply as well, and the AAA encourages ground ambulance entities to review the laws in the States in which they operate.
The authority to share this information is in the existing HIPAA regulation – this is not a waiver or a change in the current law. OCR highlights the current authority in the guidance.
The guidance provides the example of a physician at a medical facility sharing an inmate’s positive COVID-19 status with correctional guards.
For all of these disclosures, with the exception of those that are required by law or for the purpose of treatment, the covered entity must provide the minimum amount of information necessary to accomplish the purpose. For example, the guidance states that a hospital should not distribute a list of individuals who are COVID-19 positive or suspected to have the virus to EMS personnel, but rather disclose the information on a case-by-case basis about the specific patient being treated. Similarly, a 911 call center that is a covered entity may provide such information to a police office or similar personnel being dispatched to the scene to allow the responder to take the necessary precautions.
The guidance also provides additional examples that reference specific types of covered entities, but these are just examples. The laws apply to all covered entities and not just those highlighted in the examples.
The DHS Office of Civil Rights has released guidance for mobile healthcare providers serving in the COVID-19 pandemic.
Download the PDF Guidance►
On January 28, 2019, the Office of Health and Human Services the Office for Civil Rights (HHS OCR) issues a Request for Information (RFI) seeking input from covered entities regarding several aspects of the Health Insurance Portability and Accountability Act (HIPAA). Specifically, the HHS OCR is seeking input regarding several elements of the Privacy Rule, including the following:
I am aware that several AAA member services who have struggled with many of the HIPAA restrictions regarding the sharing of PHI with other healthcare entities. In particular, with regard to individuals who suffer opioid overdoses and efforts to ensure the individual has access to drug treatment programs. Additionally, HHS OCR is seeking input from covered healthcare providers regarding the “good faith” efforts to obtain acknowledgement of the receipt of Privacy Practices. This has been a considerable challenge for EMS given the nature of our healthcare delivery model. The relaxing of this regulatory requirement would substantially reduce the burden on EMS agencies.
The AAA recommends that our members review the HHS OCR Request for Information and submit comments by the February 12, 2019 deadline. If members have any questions or need assistance in submitting their comments, the AAA is here to help.
The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced earlier this month that is has entered into the largest settlement agreement in the history of the Department with Anthem, Inc., the largest Blue Cross and Blue Shield health benefit companies in the country. Anthem, Inc. agreed to pay $16 million to HHS and take substantial corrective action to settle numerous potential violations of both HIPAA Privacy and Security Rules after it exposed protected health information (PHI) for nearly 79 million people.
In March 2015 Anthem filed a breach report with OCR after they discovered that their Information Technology (IT) systems were infiltrated by cyber-attackers who had gained access to their systems after an Anthem employee opened a phishing email. This email released an undetected continuous persistent threat attack that permitted the cyber-attackers to access their systems from December 2014 through the end of January 2015. This attack opened access that ultimately resulted in the PHI of nearly 79 million people to be stolen.
OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis. Additionally, OCR determined that Anthem “failed to have sufficient policies and procedures to regularly review IT system activity, identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent impermissible access to electronic PHI.”
As part of the settlement, Anthem must comply with a Corrective Action Plan (CAP) for a period or two years. As part of that CAP, Anthem must conduct an “accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI held by Anthem.” This risk assessment must be submitted to OCR for review and approval. The CAP includes the review, revision, and distribution of all written policies and procedures addressing Information System Activity Review and Access Control for systems containing ePHI. The CAP requires regular and ongoing reporting to OCR for actions taken under the Plan and for any reportable events.
The day following the Anthem, Inc. settlement press release, OCR and the Office of the National Coordinator for Health Information Technology (ONC) announced that they have strengthened the Security Risk Assessment (SRA) Tool to improve functionality. The SRA is designed for use by small to medium sized health care providers to help them identify risks and vulnerabilities to ePHI within their practices. All HIPAA covered entities and business associations are required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in their organizations.
Ambulance services should conduct a comprehensive Risk Analysis of their systems. This Risk Analysis should include all provisions and requirements under HIPAA. While this settlement highlights the significant risks associated with ePHI and IT systems, there remains significant risks to PHI in non-electronic forms as well. This settlement is a great illustration of how apathy or reduced focus can result in potentially devastating results.
Contact the American Ambulance Association (AAA) with questions or assistance regarding any HIPAA related or other ambulance service compliance issue.
For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.
This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.
While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.
The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.
The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.
These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.
These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.
In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.
Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.
On March 21, 2016, the Office for Civil Rights of the Department of Health and Human Services announced Phase 2 of its HIPAA Audit Program. The Health Information Technology for Economic and Clinical Health Act (HITECH) required HHS to perform periodic audits of covered entities and business associates to assess their compliance with the HIPAA Privacy, Security and Breach Notification Rules. These rules are enforced by the HHS Office for Civil Rights (OCR).
In 2011, OCR implemented a pilot audit program to assess the controls and processes covered entities have adopted to meet their HIPAA obligations. The pilot audit program was conducted in three phases. OCR first developed a set of audit protocols that it would use to evaluate covered entities’ compliance. This protocol was then tested using a limited number of audits. The final step involved using the revised audit protocols on a larger number of covered entities. Ultimately, 115 covered entities were selected for review, and all audits were concluded by December 31, 2012.
Phase 2 of the HIPAA Audit Program will focus on the policies and procedures adopted and employed by entities to meet the requirements of the Privacy, Security, and Breach Notification Rules. OCR has indicated that these audits will be conducted primary through desk audits (i.e., document submissions), although by a limited number of on-site audits will also be conducted.
Unlike Phase 1, which focused exclusively on covered entities, OCR is indicating that Phase 2 will involve audits of both covered entities and their business associates.
As with the initial pilot audit program, Phase 2 will consist of several stages. The first stage involves verification of a covered entity’s or business associate’s address and contact information. A sample address verification letter can be viewed by clicking here. OCR has indicated that emails will be sent to entities requesting accurate contact information for the entity. OCR will then transmit a “pre-audit questionnaire” to the entity. These questionnaires will be used to gather data about the size, type, and operations of potential auditees. Based on this data, OCR will create potential audit subject pools.
Note: OCR has indicated that if an entity fails to respond to OCR’s request to validate its contact information and/or fails to return the pre-audit questionnaire, OCR will use publicly available information about the entity to create its audit subject pool. As a result, an entity that fails to respond may still be selected for audit and/or compliance review. OCR is specifically reminding entities to check their email “junk” or “spam” folders for any communications from OCR.
Once OCR has developed its audit subject pools, it will randomly select auditees from these pools. Auditees will then be notified by OCR of their participation. OCR has indicated that the first set of audits will focus on covered entities, with a subsequent round of audits focused on business associates. These audits will focus on compliance with specific requirements of the Privacy, Security, or Breach Notification Rules. Auditees will be notified of the scope of their audit in a document request letter. Both of these rounds will be desk audits. OCR indicated that all desk audits will be completed by the end of December 2016.
A third round of on-site audits will take place after the completion of the desk audits, and will examine a broader scope of requirements under HIPAA. OCR further indicated that desk auditees may also be subject to on-site audits.
If an entity is selected for audit, OCR will notify them by email. The email will introduce the OCR audit team, explain the audit process, and discuss OCR’s expectations in greater detail. The email notification letter will also include initial requests for documentation. OCR has indicated that it will expect entities to respond to these documentation requests within ten (10) business days. Documents will be submitted through a new secure online portal. Once received, OCR’s auditors will review the submitted information and inform the entity of its draft findings. The entity will then have ten (10) business days to respond with written comments, if any. OCR will then review the entity’s comments and issue a final audit report within thirty (30) business days.
OCR has indicated that the audits are primarily intended as a compliance improvement activity. OCR will use aggregated data to better understand compliance with respect to particular aspects of the HIPAA rules. The goal being to understand what types of technical assistance and/or corrective actions would be most helpful. In other words, OCR is indicating that the goal of these audits is to improve its understanding of the state of compliance, and not to penalize specific companies for violations. However, OCR indicated that should an audit reveal a serious compliance issue, OCR may initiate a further compliance review of the company.
OCR indicated that it will not post a list of the audited entities, nor will its findings be available in a format that would clearly identify the audited entity. However, OCR noted that audit notification letters and other information regarding these audits may be discoverable under the Freedom of Information Act (FOIA).
Additional information from OCR regarding the Phase 2 HIPAA Audit Program can be obtained by clicking here.