The HHS’ Office for Civil Rights (OCR) has issued guidance to healthcare providers to remind them that the HIPAA Privacy Rule does not allow the media and film crews to access healthcare facilities where patients’ protected health information is accessible unless written authorization has been obtained from the patients concerned in advance. A public health emergency does not change the requirements of the HIPAA Privacy Rule, which remains in effect in emergency situations.

OCR has made this clear in the past with enforcement actions against Boston Medical Center, Brigham and Women’s Hospital, and Massachusetts General Hospital in 2018 after it was discovered they had given film crews access to their facilities without first obtaining authorization from patients. They were fined a total of $999,000 for the HIPAA violations.

OCR has issued Notices of Enforcement Discretion during the coronavirus pandemic and will not be imposing sanctions and financial penalties on HIPAA-covered entities for certain violations of HIPAA Rules. Penalties can and will be imposed on covered entities for violations of HIPAA Rules not covered by the Notices of Enforcement Discretion, such as unauthorized disclosures to the media.

In the latest guidance, OCR explains that protected health information includes written, electronic, oral, and other visual and audio forms of health information which must be protected against unauthorized access and disclosure. In all cases, HIPAA authorizations must be obtained from patients in advance, before the film crews are granted access to the facilities. It is not permissible for film crews to simply mask the identities of patients in video footage, such as blurring faces before broadcast.

The HIPAA Privacy Rule does not prohibit film crews from entering healthcare facilities. Provided HIPAA authorizations have been obtained in advance from all patients who are in or will be in the areas accessed by the film crews, filming is permitted. However, in such situations, reasonable safeguards must still be put in place to protect against unauthorized disclosures of PHI, including measures such as privacy screens on computer monitors to prevent electronic PHI from being viewed. Screens must also be used to ensure patients who have not signed HIPAA authorizations are not filmed.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said Roger Severino, OCR Director.  “Hospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”

The post OCR Issues Guidance on Media and Film Crew Access to Healthcare Facilities appeared first on HIPAA Journal.

There has been a significant improvement in compliance with the HIPAA Right of Access, according to the latest Patient Record Scorecard Report from Ciitizen.

To compile the report, Ciitizen conducted a study of 820 healthcare providers to assess how well each responded to patient requests for copies of their healthcare data. A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.

The HIPAA Privacy Rule gives patients the right to request a copy of their healthcare data from their providers. Request must be submitted in writing and healthcare providers are required to provide the patient with a copy of the health data in a designated record set within 30 days to the request being submitted. The data must be provided in the format requested by the patient if the PHI is readily producible in that format. In cases where data cannot be provided in the requested format, the provider should give the patient a printed copy of their healthcare data or provide the data in an alternative format, as agreed with the patient.

For each study, requests for copies of healthcare data are sent to healthcare providers by Ciitizen users. The provider then receives a rating from 1-5 based on their response. A 1-star rating represents a non-HIPAA-compliant response. 2-stars are awarded when requests are eventually resolved satisfactorily, but only after multiple escalations to supervisors. A 3-star rating is given when the request is satisfied with minimal intervention, and a 4-star rating is given to providers that are fully compliant and have a seamless response. A 5-star rating is reserved for providers with a patient-focused process who go above and beyond the requirements of HIPAA.

Previous studies revealed a majority of providers (51%) were not compliant with the HIPAA Right of Access. The latest study saw that percentage fall to 27%. The percentage of providers awarded 4 stars for their responses increased from 40% to 67%, and the percentage of providers awarded 5 stars increased from 20% to 28%.

There was further good news from this year’s study. Under HIPAA, healthcare providers are permitted to charge patients a reasonable, cost-based fee for producing the records, but only 6% of the 820 healthcare providers charged fees.

In previous studies, many healthcare providers required patients to complete a standard form, yet this year, most providers accepted any form of written request and did not require patients to complete a particular form before the request was processed.

The latest study saw a significant increase in assessments, which may have accounted, in part, for the improvements in compliance. 51 providers were assessed for the first Patient Record Scorecard report, 210 in the second, and 820 in the third. Ciitizen points out that the percentage of non-compliant providers in those studies did correlate with a separate study conducted on 3,000 providers, which suggests that the improvements made are genuine.

Ciitizen attributes the improvements in compliance to three main factors. A greater emphasis has been placed on the right of individuals to obtain copies of their healthcare data following the publication of new rules by the HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which make it easier for patients to obtain copies of their healthcare data.

There has also bee a positive influence of release of information (ROI) vendors. ROI vendors process patient requests on behalf of covered entities and help those entities comply with the HIPAA Right of Access. Finally, the HHS’ Office for Civil Rights launched a HIPAA Right of Access enforcement initiative last year. Under that initiative, two penalties of $85,000 were imposed on covered entities that failed to comply with requests from patients to provide copies of their PHI.

The Ciitizen Patient Record Scorecard Reports and the website sit up by Ciitizen that shows the scores of each provider may also have played a role in encouraging healthcare providers to comply with this important aspect of HIPAA.

The post Ciitizen HIPAA Right of Access Study Shows Significant Improvement in Compliance appeared first on HIPAA Journal.

The HHS will be exercising enforcement discretion in relation to compliance with the new interoperability and information sharing rules that were finalized and issued by the HHS’ Centers for Medicare and Medicaid Services (CMS) and the HHS’ Office of the National Coordinator for Health IT (ONC) on March 9, 2020.

The decision to delay enforcement is due to the COVID-19 pandemic. The CMS, ONC, and HHS’ Office of Inspector General (OIG) believe that during a pandemic of the magnitude of COVID-19, healthcare organizations need to be given some flexibility complying with the new interoperability and information sharing rules.

The dates for compliance with the new rules remain unchanged, although both agencies will be exercising enforcement discretion to allow healthcare organizations to continue to focus their efforts on addressing the COVID-19 pandemic.

“ONC remains committed to ensuring that patients and providers can access electronic health information, when and where it matters most. During this critical time, we understand that resources need to be focused on fighting the COVID-19 pandemic,” said Donald Rucker, MD, National Coordinator for Health Information Technology. “To support that important work and the information sharing efforts we are already seeing, ONC intends to exercise enforcement discretion for 3 months at the end of certain ONC Health IT Certification Program compliance dates associated with the ONC Cures Act Final Rule to provide flexibility while ensuring the goals of the rule remain on track.”

The compliance dates and ONC’s enforcement discretion dates and timeframes can be viewed on this link.

The CMS is giving healthcare organizations an additional 6 months to comply with its rule. “Now more than ever, patients need secure access to their healthcare data. Hospitals should be doing everything in their power to ensure that patients get appropriate follow-up care,” said CMS Administrator, Seema Verma. “Nevertheless, in a pandemic of this magnitude, flexibility is paramount for a healthcare system under siege by COVID-19. Our action today will provide hospitals an additional 6 months to implement the new requirements.”

The CMS, ONC, and OIG will continue to monitor the implementation landscape to determine if any further action is needed.

The post HHS Delays Enforcement of New Interoperability and Information Sharing Rules appeared first on HIPAA Journal.

On Tuesday, the HHS’ Office of inspector General (OIG) proposed a rule that amends civil monetary penalty rules to also cover information blocking.

“When implemented, the new CMPs for information blocking will be an important tool to ensure program integrity and the promised benefits of technology and data,” said Christi A. Grimm, OIG Principal Deputy Inspector General.

OIG understands that during the COVID-19 public health emergency, healthcare organizations are focused on providing treatment and follow-up care to patients. OIG is fulfilling its obligations by publishing the new rule but is also trying to be as flexible as possible to minimize the burden on healthcare organizations on the front line dealing with the COVID-19 pandemic. OIG is seeking comment from healthcare organizations and industry stakeholders on when information blocking enforcement should begin.

OIG explained that all entities and individuals required to comply with the new information blocking regulations will be given time to achieve compliance before enforcement begins. OIG has proposed the earliest date for enforcement is the compliance date of the ONC Final Rule published on March 9, 2020 but has proposed a 60-day delay to enforcement due to the COVID-19 pandemic.

The proposed rule does not introduce any new requirements concerning information blocking, instead OIG will be incorporating the regulations published by the National Coordinator for Health Information Technology (ONC) in March, and will be using that rule as the basis for enforcing information blocking CMPs.

OIG said civil monetary penalties will only be imposed on entities and individuals when there have been intentional information blocking violations. OIG will not impose civil monetary penalties on entities and individuals in cases where innocent mistakes have been made. In order to determine intent, OIG will work closely with both the ONC and the HHS’ Office for Civil Rights. The proposed rule also explains the basis for determining whether there have been single or multiple violations of information blocking provisions of the ONC rule.

ONC explained that it will prioritize investigations where conduct has or has potential to cause harm, when information blocking has significantly impacted a provider’s ability to provide care for patients, cases involving information blocking over a long period of time, deliberate information blocking, and when conduct has caused financial loss to Federal healthcare programs or other government or private entities.

The proposed rule also makes changes in two other areas. There are new authorities for civil monetary penalties, assessments, and exclusions related to HHS grants, contracts and other agreements in relation to fraud, and the maximum penalties for certain violations will be increased in accordance with changes made by the Bipartisan Budget Act of 2018.

The OIG proposed rule has been published in the federal register and can be viewed on this link. Comments on proposed rule will be accepted for 60 days from the date of publication in the federal register.

The post HHS’ Office of Inspector General Proposes Rule for Civil Monetary Penalties for Information Blocking appeared first on HIPAA Journal.

The HHS has a further Notice of Enforcement Discretion covering healthcare providers and business associates that participate in the operation of COVID-19 community-based testing sites.

Under the terms of the Notice of Enforcement discretion, the HHS will not impose sanctions and penalties in connection with good faith participation in the operation of COVID-19 community-based testing sites. The Notice of Enforcement discretion is retroactive to March 13, 2020 and will continue for the duration of the COVID-19 public health emergency or until the Secretary of the HHS declares the public health emergency is over.

The purpose of the notification is to help pharmacies, other healthcare providers, and their business associates to provide COVID-19 testing services and specimen collection at dedicated walk-up or drive through facilities, without risking a financial penalty for noncompliance with HIPAA Rules.

While the Notice of Enforcement Discretion has been issued, the HHS’ Office for Civil Rights is encouraging covered entities and their business associates to ensure reasonable safeguards are implemented to protect the privacy of users of the service and prevent the accidental exposure or disclosure of PHI to unauthorized individuals.

Privacy controls such as canopies and barriers should be used to separate the testing area to protect the privacy of users of the service and there should be a buffer zone to prevent members of the public from observing individuals being tested.

Social distancing measures need to be implemented to reduce the risk of transmission of SARS-CoV-2. A distance of at least 6 feet should be maintained between patients. These social distancing will help to ensure conversations between a patient and CBTS staff cannot be overheard. OCR also recommends posting signs prohibiting filming at testing facilities.

A Notice of Privacy Practices should also be posted in a place where it can be easily read by visitors. The NPP should also be published online, with information included in the printed notice explaining how the NPP can be viewed online.

Uses and disclosures of PHI should be limited to the minimum necessary amount to achieve the purpose for which the information is disclosed, other than when disclosing PHI for treatment purposes.

You can view the Notice of Enforcement Discretion on this link.

The post HIPAA Penalties Waived for Good Faith Operation of COVID-19 Community-Based Testing Sites appeared first on HIPAA Journal.

On April 2, 2020, the Department of Health and Human Services announced that with immediate effect, it will be exercising enforcement discretion and will not impose sanctions or financial penalties against healthcare providers or their business associates for good faith uses and disclosures of protected health information (PHI) by business associates for public health and health oversight activities for the duration of the COVID-19 public health emergency, or until the Secretary of the HHS declares the public health emergency no longer exists.

The Notice of Enforcement Discretion was issued to support Federal public health authorities and health oversight agencies such as the Centers for Medicare and Medicaid Services (CMS), the Centers for Disease Control and Prevention (CMS), state and local health departments, and other emergency operation centers that require timely access to COVID-19 related data.

While disclosures of PHI by HIPAA-covered entities for public health and health oversight purposes are permitted under the HIPAA Privacy Rule, currently business associates of HIPAA covered entities are only permitted to disclose PHI for public health and health oversight purposes if it is specifically stated that they can do so in their business associate agreement with a HIPAA covered entity. Without the Notice of Enforcement discretion, business associates could face financial penalties for disclosures of PHI for public health and health oversight purposes.

The Notice of Enforcement Discretion applies to the HIPAA Privacy Rule Provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) but only for a good faith use or disclosure of PHI for public health activities by a business associate for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d). The business associate must inform the covered entity about the use of disclosure no later than 10 calendar days after the use or disclosure occurred.

The Notice of Enforcement Discretion does not apply to any other provisions of HIPAA Rules and the HIPAA Security Rule remains in effect. Should PHI be disclosed to a public health authority or health oversight agency, the business associate must ensure the requirements of the HIPAA Security Rule are met and reasonable safeguards are implemented to ensure the confidentiality, integrity, and availability of ePHI and that the information is transmitted in a secure manner.

“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” explained OCR Director, Roger Severino. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

You can view the OCR Notice of Enforcement Discretion on this link.

The post OCR Issues Notice of Enforcement Discretion to Allow Business Associates to Disclose PHI for COVID-19 Public Health and Health Oversight Activities appeared first on HIPAA Journal.

The Department of Health and Human Services’ Centers for Medicare and Medicaid Services (CMS) has announced a set of sweeping regulatory changes and waivers to give healthcare providers maximum flexibility to treat patients during the 2019 Novel Coronavirus pandemic. The new changes will allow healthcare providers to act as healthcare delivery coordinators in their areas.

The temporarily changes will ease restrictions are intended to create hospitals without walls, which will make it easier for hospitals and health systems to cope with an expected massive increase in COVID-19 patients over the coming weeks.

Under normal circumstances, federal restrictions require hospitals to provide medical services within their existing facilities, but this will cease to be possible as patient numbers increase. As the number of COVID-19 cases grow, hospitals will soon reach capacity. If they do not develop additional sites to provide treatment to patients, they will be overwhelmed.

To ensure all patients can receive treatment and no one is left behind, the CMS has relaxed restrictions and has issued temporary new rules that will allow treatment to be provided in other locations. Many ambulatory surgery centers have taken the decision to cancel elective procedures during the public health emergency. Hospitals and health systems would be permitted to use those locations along with inpatient rehabilitation hospitals, and even hotels and dormitories, and would still be eligible to receive reimbursement for services under Medicare. The new locations could be used to provide medical services to non-COVID-19 patients to free up inpatient beds for COVID-19 patients that require intensive care and respirators.

The CMS explained that ambulatory surgery centers have two options. They can either contract with local healthcare systems to provide services on behalf of the hospital or they can enroll and bill CMS as hospitals during the public health emergency declaration, provided that is not in conflict with their State’s Emergency Preparedness or Pandemic Plan. Healthcare providers will not be permitted to operate outside of organized plans at the local level.

To further increase capacity, the CMS has issued a waiver that will allow doctor-owned hospitals to increase the number of beds without facing sanctions. Hospitals are permitted to set up drive-through screening centers for COVID-19, use off-campus testing sites, and coverage will be given to laboratory technicians who need to travel to a Medicare beneficiary’s home to collect samples to perform COVID-19 testing. CMS will be providing additional reimbursement for ambulances, which are likely to be required to transfer patients between healthcare facilities and doctor’s surgeries to ensure they receive the treatment they need. Medicare coverage for respiratory-related devices and equipment has now been extended to cover any medical reason.

Changes have also been made to facilitate the rapid expansion of the healthcare workforce. These changes include making it easier for providers to enroll in Medicare and allowing teaching hospitals to have medical residents provide services under the supervision of a teaching physician. The CMS has also issued a blanket waiver to allow hospitals to provide more benefits to support their medical staff, including multiple daily meals, laundry service for personal clothing, or child care services while the physicians and other staff are at the hospital providing patient care.

Changes have also been made to ease the administration burden on healthcare providers with the CMS putting patients above paperwork by eliminating paperwork requirements to ensure that clinicians can spend more time treating patients.

The CMS has previously announced that there is additional flexibility for the provision of telehealth services, with reimbursement now being provided for all Medicare beneficiaries in all areas. Coverage is now included for more than 80 additional services provided through telehealth, as long as those services are provided by clinicians allowed to provide telehealth services.

These new changes and waivers are only temporary and will last for the duration of the national public health emergency for COVID-19, after which the CMS will evaluate how best to return to the current system.

The post CMS Announces Sweeping Regulatory Changes in Response to Surge in COVID-19 Patients appeared first on HIPAA Journal.