HIPAA Compliance News

Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations

When patients contract an infectious respiratory disease such as COVID-19, the immune system develops antibodies that provide protection if the pathogen is encountered again. The antibodies in the blood of patients who recover from such an illness are valuable, as not only will they provide protection for the patient, that protection could potentially be transferred to other patients.

Through the donation of blood and plasma two preparations can be made: Convalescent plasma and hyperimmune immunoglobulin. Convalescent plasma and hyperimmune immunoglobulin have both been used to successfully treat patients who have contracted other viral respiratory diseases. Given the severity of COVID-19 and the high mortality rate, these treatments could be vital for patients who are struggling to fight the infection. Research studies are now underway to test whether antibody treatments are effective against COVID-19.

To participate in these programs, patients who have previously been diagnosed with COVID-19 will need to be contacted and asked if they are willing to donate blood and plasma, but is this contact permitted by the HIPAA Privacy Rule?

On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights issued guidance to healthcare providers on the HIPAA Privacy Rule and contacting COVID-19 patients to request blood and plasma donations.

OCR explained that the HIPAA Privacy Rule does not prohibit healthcare providers from contacting COVID-19 patients to request blood and plasma donations and prior authorization from the patient is not required.

Healthcare providers can contact patients to advise them about the opportunities for donating blood and plasma to support the response to COVID-19 to improve other patents’ chances of beating the disease.

HIPAA covered entities and business associates acting on their behalf can use or disclose PHI for the purpose of treatment, payment, and healthcare operations, without first receiving authorization to do so from a patient. Requesting a donation of blood or plasma does not fall into the category of treatment, as the blood/plasma will not be used to treat the patient, instead it is being used for population-based health care operations to improve health, case management, and care-coordination, which are included in the definition of healthcare operations.

There is some confusion over whether contacting patients to solicit blood donations would constitute marketing communications, which are generally not permitted by the HIPAA Privacy Rule without prior authorization from a patient.

In this case, an exception to the Privacy Rule’s Marketing provision applies. “A covered health care provider is permitted to make such communication for the covered entity’s population-based case management and related health care operations activities, provided that the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a blood and plasma donation center),” explained OCR in the guidance.

An authorization is required from a patient before PHI can be disclosed to a third party, such as a blood and plasma donation center, to allow a COVID-19 patient to be contacted to request blood and plasma donations for the donation center’s own purposes.

The post Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations appeared first on HIPAA Journal.

Safe Partner Inc. Confirmed as HIPAA Compliant

Compliancy Group has announced that Safe Partner Inc. has demonstrated it has implemented an effective HIPAA compliance program and has successfully completed its proprietary 6-stage HIPAA risk analysis and remediation process.

Safe Partner Inc. is a Belmont, CA-based boutique software development and consulting company that provides a full range of software services, from design to development, implementation, and ongoing customer support. The company was formed in 1995 and works with clients in a wide range of industry sectors, including healthcare. Some of the software solutions developed by the company interact with healthcare data, which means the company is classed as a business associate and must comply with HIPAA Rules.

To ensure that no aspect of HIPAA compliance was missed, Safe Partner Inc sought assistance from Compliancy Group. Assisted by the company’s compliance coaches and using the firm’s HIPAA compliance tracking software solution, The Guard, Safe Partner Inc was able to demonstrate its HIPAA compliance program covered all aspects of the HIPAA Privacy, Security, Omnibus, and Breach Notification Rules. The company also conducted a comprehensive risk analysis to identify all potential risks to the confidentiality, integrity, and availability of protected health information, and ensured risks were effectively mitigated in accordance with the requirements of the HIPAA Security Rule.

After demonstrating to Compliancy Group that its policies and procedures met the minimum standards required by HIPAA, the company’s good faith effort toward HIPAA compliance was recognized and the company was awarded the Compliancy Group HIPAA Seal of Compliance.

The HIPAA Seal of Compliance helps the company differentiate its services and demonstrates to current and future clients that Safe Partner Inc. is committed to ensuring the privacy and security of any healthcare data provided to the company or accessible through its software solutions.

The post Safe Partner Inc. Confirmed as HIPAA Compliant appeared first on HIPAA Journal.

Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations

Ann & Robert H. Lurie Children’s Hospital of Chicago has terminated an employee for improperly accessing the medical records of patients without authorization over a period of 15 months.

The privacy violations were identified by the hospital on March 5, 2020. The employee’s access to hospital systems was immediately terminated while the investigation was conducted. After reviewing access logs, the hospital found that the employee had accessed the medical records of 4,824 patients without authorization between November 2018 and February 2020.

The types of information accessed by the employee included names, addresses, dates of birth, diagnoses, medications, appointments, and medical procedures. No health insurance information, financial information, or Social Security numbers were accessed.

No reason as been given as to why the medical records were accessed, but the hospital says it does not believe the employee obtained, misused, or disclosed the information to anyone else. The hospital said the employee no longer works at the hospital.

This is not the first incident of its type to occur at Lurie Children’s Hospital. A similar incident was discovered in November 2019, when the hospital learned that a former employee accessed the medical records of patients without authorization between September 2018 and September 2019.

Mercy Health Fires Nurse for Multiple Privacy Violations

Mercy Health has also recently taken action against an employee for alleged violations of the HIPAA Privacy Rule. A nurse at Hackley Hospital in Muskegon, MI was terminated on April 3, 2020. The termination came shortly after the nurse raised concerns in media interviews about the level of preparedness of the hospital for the COVID-19 pandemic and how the alleged lack of preparedness put safety at risk. The nurse contacted the Michigan Nurses Association Labor Union, which claimed that Mercy Health fired the nurse for speaking out. The Labor Union also filed a charge with the National Labor Relations Board.

“Howe’s termination came on the evening of April 3, days after he had publicly raised concerns about lack of appropriate PPE and the need for improved screening measures to keep nurses and healthcare workers safe during the COVID-19 pandemic,” said the Labor Union in an April 21, 2020 press release.

10 days after the nurse was fired, and one day after the press release was issued by the Labor Union, Mercy Health released a press release of its own stating the nurse was fired for multiple violations of HIPAA Rules. Mercy Health said it does not usually share details about employment matters related to its workers but was compelled to speak out due to the “misinformation campaign” led by the Labor Union.

Mercy Health claims the fired nurse, Justin Howe, was terminated for accessing the medical records of multiple patients over a period of several days. The records were for not for patients receiving treatment at the campus where the nurse worked and there was no legitimate work reason for accessing those records. Mercy Health claims that Howe was not the only nurse terminated for improper medical record access.

According to Mercy Health’s press release, “We have mechanisms in place to monitor for inappropriate access of privileged information. As part of this review process, Mr. Howe along with others were terminated for the same. This investigative effort is still in process.”

The post Healthcare Workers in Michigan and Illinois Fired for HIPAA Violations appeared first on HIPAA Journal.

OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities

The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations.

OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations.

OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered entities for violations of HIPAA Rules not covered by the Notices of Enforcement Discretion, such as unauthorized disclosures to the media.

In the latest guidance, OCR explains that protected health information includes written, electronic, oral, and other visual and audio forms of health information which must be protected against unauthorized access and disclosure. In all cases, HIPAA authorizations must be obtained from patients in advance, before the film crews are granted access to the facilities. It is not permissible for film crews to simply mask the identities of patients in video footage, such as blurring faces before broadcast.

The HIPAA Privacy Rule does not prohibit film crews from entering healthcare facilities. Provided HIPAA authorizations have been obtained in advance from all patients who are in or will be in the areas accessed by the film crews, filming is permitted. However, in such situations, reasonable safeguards must still be put in place to protect against unauthorized disclosures of PHI, including measures such as privacy screens on computer monitors to prevent electronic PHI from being viewed. Screens must also be used to ensure patients who have not signed HIPAA authorizations are not filmed.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said Roger Severino, OCR Director.  “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”

The post OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities appeared first on HIPAA Journal.

Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen.

To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.

The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as agreed with the patient.

For each study, requests for copies of healthcare data are sent to healthcare providers by Ciitizen users. The provider then receives a rating from 1-5 based on their response. A 1-star rating represents a non-HIPAA-compliant response. 2-stars are awarded when requests are eventually resolved satisfactorily, but only after multiple escalations to supervisors. A 3-star rating is given when the request is satisfied with minimal intervention, and a 4-star rating is given to providers that are fully compliant and have a seamless response. A 5-star rating is reserved for providers with a patient-focused process who go above and beyond the requirements of HIPAA.

Previous studies revealed a majority of providers (51%) were not compliant with the HIPAA Right of Access. The latest study saw that percentage fall to 27%. The percentage of providers awarded 4 stars for their responses increased from 40% to 67%, and the percentage of providers awarded 5 stars increased from 20% to 28%.

There was further good news from this year’s study. Under HIPAA, healthcare providers are permitted to charge patients a reasonable, cost-based fee for producing the records, but only 6% of the 820 healthcare providers charged fees.

In previous studies, many healthcare providers required patients to complete a standard form, yet this year, most providers accepted any form of written request and did not require patients to complete a particular form before the request was processed.

The latest study saw a significant increase in assessments, which may have accounted, in part, for the improvements in compliance. 51 providers were assessed for the first Patient Record Scorecard report, 210 in the second, and 820 in the third. Ciitizen points out that the percentage of non-compliant providers in those studies did correlate with a separate study conducted on 3,000 providers, which suggests that the improvements made are genuine.

Ciitizen attributes the improvements in compliance to three main factors. A greater emphasis has been placed on the right of individuals to obtain copies of their healthcare data following the publication of new rules by the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which make it easier for patients to obtain copies of their healthcare data.

There has also bee a positive influence of release of information (ROI) vendors. ROI vendors process patient requests on behalf of covered entities and help those entities comply with the HIPAA Right of Access. Finally, the HHS’ Office for Civil Rights launched a HIPAA Right of Access enforcement initiative last year. Under that initiative, two penalties of $85,000 were imposed on covered entities that failed to comply with requests from patients to provide copies of their PHI.

The Ciitizen Patient Record Scorecard Reports and the website sit up by Ciitizen that shows the scores of each provider may also have played a role in encouraging healthcare providers to comply with this important aspect of HIPAA.

The post Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance appeared first on HIPAA Journal.

HHS Delays Enforcement of New Interoperability and Information Sharing Rules

The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020.

The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules.

The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic.

“ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19 pandemic,” said Donald Rucker, MD, National Coordinator for Health Information Technology. “To support that important work and the information sharing efforts we are already seeing, ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule to provide flexibility while ensuring the goals of the rule remain on track.”

The compliance dates and ONC’s enforcement discretion dates and timeframes can be viewed on this link.

The CMS is giving healthcare organizations an additional 6 months to comply with its rule. “Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care,” said CMS Administrator, Seema Verma. “Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.”

The CMS, ONC, and OIG will continue to monitor the implementation landscape to determine if any further action is needed.

The post HHS Delays Enforcement of New Interoperability and Information Sharing Rules appeared first on HIPAA Journal.

HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking

On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking.

“When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General.

OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin.

OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the earliest date for enforcement is the compliance date of the ONC Final Rule published on March 9, 2020 but has proposed a 60-day delay to enforcement due to the COVID-19 pandemic.

The proposed rule does not introduce any new requirements concerning information blocking, instead OIG will be incorporating the regulations published by the National Coordinator for Health Information Technology (ONC) in March, and will be using that rule as the basis for enforcing information blocking CMPs.

OIG said civil monetary penalties will only be imposed on entities and individuals when there have been intentional information blocking violations. OIG will not impose civil monetary penalties on entities and individuals in cases where innocent mistakes have been made. In order to determine intent, OIG will work closely with both the ONC and the HHS’ Office for Civil Rights. The proposed rule also explains the basis for determining whether there have been single or multiple violations of information blocking provisions of the ONC rule.

ONC explained that it will prioritize investigations where conduct has or has potential to cause harm, when information blocking has significantly impacted a provider’s ability to provide care for patients, cases involving information blocking over a long period of time, deliberate information blocking, and when conduct has caused financial loss to Federal healthcare programs or other government or private entities.

The proposed rule also makes changes in two other areas. There are new authorities for civil monetary penalties, assessments, and exclusions related to HHS grants, contracts and other agreements in relation to fraud, and the maximum penalties for certain violations will be increased in accordance with changes made by the Bipartisan Budget Act of 2018.

The OIG proposed rule has been published in the federal register and can be viewed on this link. Comments on proposed rule will be accepted for 60 days from the date of publication in the federal register.

The post HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking appeared first on HIPAA Journal.

Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers

The McHenry County Health Department in Illinois has been refusing to provide the names of COVID-19 patients to 911 dispatchers to protect the privacy of patients, as is the case with patients that have contracted other infectious diseases such as HIV and hepatitis.

The Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule permits disclosures of PHI to law enforcement officers, paramedics, and 911 dispatchers under certain circumstances, which was clarified by the HHS’ Office for Civil Rights in a March 24, 2020 guidance document, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities.

In the document, OCR explained that “HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).” OCR also explained that “disclosing PHI such as patient names to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.”

While the disclosures are permissible, the County Health department said on Friday it will not disclose that information as it violates the privacy of patients and creates a false sense of security for first responders, who must assume that every home they visit could house a person who has contracted COVID-19 and could transmit the coronavirus. The Country Health Department recommended first responders should take the same precautions with all interactions with the community.

“In MCDH’s professional public health opinion, given what we know about how this disease spreads, the general lack of testing, epidemiological data and the stay-at-home order, providing the personal names of cases exceeds the minimum information needed to protect law enforcement,” explained MCDH.

Several law enforcement agencies in McHenry County took legal action to force the County Health Department to disclose the information to better protect first responders. Two lawsuits were filed, one on behalf of four police departments in the County and the other by the County Sheriff’s office. The police department lawsuit requested information be released to the the McHenry County Emergency Telephone System Board. That would ensure that any officers responding to incidents would be made aware if they need to take extra precautions. The County Sheriff argued in its lawsuit that it was not possible for officers to take the same precautions with every interaction with a member of the public as there was not enough personal protective equipment available.

On Friday evening, a temporary court order was issued requiring MCDH to disclose the information. In the ruling, it was explained that “The availability of the names at issue best enables police officers to do their job and protect the community to the fullest extent of their ability.”

As a result of the court order, MCDH will start providing the names of patients, on request, but only to dispatchers on a call-by-call basis. MCDH has requested the “tightest control” of any information that is disclosed, to protect the privacy of its patients.

The post Court Rules McHenry County Health Department Must Disclose COVID-19 Patients’ Names to 911 Dispatchers appeared first on HIPAA Journal.

HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites

The HHS has a further Notice of Enforcement Discretion covering healthcare providers and business associates that participate in the operation of COVID-19 community-based testing sites.

Under the terms of the Notice of Enforcement discretion, the HHS will not impose sanctions and penalties in connection with good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is retroactive to March 13, 2020 and will continue for the duration of the COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over.

The purpose of the notification is to help pharmacies, other healthcare providers, and their business associates to provide COVID-19 testing services and specimen collection at dedicated walk-up or drive through facilities, without risking a financial penalty for noncompliance with HIPAA Rules.

While the Notice of Enforcement Discretion has been issued, the HHS’ Office for Civil Rights is encouraging covered entities and their business associates to ensure reasonable safeguards are implemented to protect the privacy of users of the service and prevent the accidental exposure or disclosure of PHI to unauthorized individuals.

Privacy controls such as canopies and barriers should be used to separate the testing area to protect the privacy of users of the service and there should be a buffer zone to prevent members of the public from observing individuals being tested.

Social distancing measures need to be implemented to reduce the risk of transmission of SARS-CoV-2. A distance of at least 6 feet should be maintained between patients. These social distancing will help to ensure conversations between a patient and CBTS staff cannot be overheard. OCR also recommends posting signs prohibiting filming at testing facilities.

A Notice of Privacy Practices should also be posted in a place where it can be easily read by visitors. The NPP should also be published online, with information included in the printed notice explaining how the NPP can be viewed online.

Uses and disclosures of PHI should be limited to the minimum necessary amount to achieve the purpose for which the information is disclosed, other than when disclosing PHI for treatment purposes.

You can view the Notice of Enforcement Discretion on this link.

The post HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites appeared first on HIPAA Journal.