Latest HIPAA News

OCR Issues Guidance on Allowable Disclosures of PHI to First Responders During the COVID-19 Crisis

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has issued further guidance on HIPAA and COVID-19, the disease caused by the 2019 Novel Coronavirus, SARS-CoV-2. The new guidance document provides examples of allowable disclosures of protected health information (PHI) by covered entities under the HIPAA Privacy Rule to help make sure first responders and others receive PHI about individuals exposed to SARS-CoV-2 or displaying symptoms of COVID-19.

The new guidance document is in Q&A form and explains when covered entities are permitted to disclose PHI such as names and other identifying information to first responders, law enforcement officers, paramedics, and public health authorities without first obtaining a HIPAA authorization.

The document confirms that under the HIPAA Privacy Rule, disclosures of PHI are permitted when the information is required to provide treatment, when a disclosure is required by law, when first responders such as paramedics are at risk of contracting COVID-19 and need information to prevent infection, and when a disclosure could prevent or lessen a serious and imminent threat.

OCR also confirms that a disclosure of PHI is permitted when responding to a request for PHI from a correctional institution or law enforcement official in lawful custody of an inmate or other individual, and PHI is required in order to provide healthcare services to the individual, to ensure the health and safety of the individual or others in the institution, those required to transport the individual, and when PHI is required to maintain safety, security, and good order in a correctional institution.

OCR explains that a hospital is permitted to provide a list of names and addresses of all individuals known to have tested positive for COVID-19 to an EMS dispatch for use on a per-call basis. That information can then be used to ensure that any personnel responding to an emergency at the patient’s location knows they must take extra precautions to ensure their own safety, such as wearing personal protective equipment (PPE).

911 call center staff may ask for information about a patient’s symptoms in order to determine whether there is a risk they have been infected with SARS-CoV-2. Information may then be passed to law enforcement officers and others responding to an incident at the person’s location to ensure they take steps to protect themselves.

In all cases, a covered entity must make reasonable efforts to limit the disclosed information to the minimum amount necessary to accomplish the purpose for the disclosure.

“Our nation needs our first responders like never before and we must do all we can to assure their safety while they assure the safety of others,” said Roger Severino, OCR Director. “This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe.”

The guidance document – COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities – can be found on the HHS website on this link (PDF).

The post OCR Issues Guidance on Allowable Disclosures of PHI to First Responders During the COVID-19 Crisis appeared first on HIPAA Journal.

February 2020 Healthcare Data Breach Report

There were 39 reported healthcare data breaches of 500 or more records in February and 1,531,855 records were breached, which represents a 21.9% month-over-month increase in data breaches and a 231% increase in breached records. More records were breached in February than in the past three months combined. In February, the average breach size was 39,278 records and the mean breach size was 3,335 records.

Largest Healthcare Data Breaches in February 2020

The largest healthcare data breach was reported by the health plan, Health Share of Oregon. An unencrypted laptop computer containing the records of 654,362 plan members was stolen from its transportation vendor in an office break in.

The second largest breach was a ransomware attack on the accounting firm BST & Co. CPAs which saw client records encrypted, including those of the New York medical group, Community Care Physicians. Aside from the network server breach at SOLO Laboratories, the cause of which has not been determined, the remaining 7 breaches in the top 10 were all email security incidents.

Name of Covered Entity Covered Entity Type Individuals Affected Type of Breach Location of Breached PHI
Health Share of Oregon Health Plan 654,362 Theft Laptop
BST & Co. CPAs, LLP Business Associate 170,000 Hacking/IT Incident Network Server
Aveanna Healthcare Healthcare Provider 166,077 Hacking/IT Incident Email
Overlake Medical Center & Clinics Healthcare Provider 109,000 Hacking/IT Incident Email
Tennessee Orthopaedic Alliance Healthcare Provider 81,146 Hacking/IT Incident Email
Munson Healthcare Healthcare Provider 75,202 Hacking/IT Incident Email
NCH Healthcare System, Inc. Healthcare Provider 63,581 Hacking/IT Incident Email
SOLO Laboratories, Inc. Business Associate 60,000 Hacking/IT Incident Network Server
JDC Healthcare Management Healthcare Provider 45,748 Hacking/IT Incident Email
Ozark Orthopaedics, PA Healthcare Provider 15,240 Hacking/IT Incident Email

Causes of February Healthcare Data Breaches

Hacking/IT incidents dominated the breach reports, accounting for two thirds (66.67%) of all breaches reported in February and 54.78% of breached records (839,226 records). The average breach size was 32,277 records and the median breach size was 4,126 records. 80.76% of those incidents involved hacked email accounts.

There were 6 unauthorized access/disclosure incidents, four of which involved paper/films, one was an email incident and one involved a portable electronic device. 15,826 records were impermissibly disclosed in those incidents. The average breach size was 3,126 records and the median breach size was 2,548 records.

While there were only three theft incidents reported, they accounted for 42.78% of breached records. The average breach size was 327,696 records and the median breach size was 530 records.

There were two incidents involving lost paperwork containing the PHI of 5,904 patients and two improper disposal incidents involving paper files containing the PHI of 15,507 patients.

Location of Breached Protected Health Information

As the bar chart below shows, the biggest problem area for healthcare organizations is protecting email accounts. All but one of the email incidents were hacking incidents that occurred as a result of employees responding to phishing emails. The high total demonstrates how important it is to implement a powerful email security solution and to provide regular training to employees to teach them how to recognize phishing emails.

Breaches by Covered Entity Type

26 data breaches were reported by HIPAA-covered entities in February. The average breach size was 23,589 records and the median breach size was 3,229 records. Data breaches were reported by 8 health plans, with an average breach size of 83,490 records and a median breach size of 2,468 records.

There were 5 data breaches reported by business associates and a further 5 breaches that were reported by the covered entity but had some business associate involvement. The average breach size was 50,124 records and the median breach size was 15,010 records.

Healthcare Data Breaches by State

The data breaches reported in February were spread across 24 states. Texas was the worst affected with 4 breaches. Three data breaches were reported in Arkansas, California, and Florida. There were two reported breaches in each of Georgia, Indiana, Michigan, North Carolina, Virginia, and Washington. One breach was reported in each of Arizona, Hawaii, Illinois, Iowa, Maine, Massachusetts, Minnesota, Missouri, New Mexico, New York, Oregon, Pennsylvania, Tennessee, and Wisconsin.

HIPAA Enforcement Activity in February 2020

There was one HIPAA enforcement action reported in February. The HHS’ Office for Civil Rights announced that Steven A. Porter, M.D had agreed to pay a financial penalty of $100,000 to resolve a HIPAA violation case. The violations came to light during an investigation of a reported breach involving the practice’s medical records company, which Dr. Porter claimed was impermissibly using patient medical records by preventing access until payment of $50,000 was received.

OCR found that Dr. Porter had never conducted a risk analysis to identify risks to the confidentiality, integrity, and availability of ePHI. The practice had also not reduced risks to a reasonable and appropriate level, and policies and procedures to prevent, detect, contain, and correct security violations had not been implemented.

The post February 2020 Healthcare Data Breach Report appeared first on HIPAA Journal.

OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic

Following on from the announcement from the HHS’ Office for Civil Rights that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has been relaxed, OCR has issued guidance on telehealth and remote communications.

Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be provided through the use of text, audio, or video via secure text messaging platforms, over the internet, using video conferencing solutions, or via landlines and wireless communications networks.

The Notification of Enforcement Discretion covers “All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency,” which includes the remote diagnosis and treatment of patients. The Notification of Enforcement Discretion only applies to “Penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

OCR has confirmed that its Notification of Enforcement Discretion only applies to HIPAA-covered healthcare providers, not other HIPAA-covered entities that are not engaged in the provision of health care.

OCR explains that during the public health emergency, telehealth services can be provided to all patients, not only those that receive benefits under Medicare and Medicaid. Telehealth services can be provided to patients regardless of their health compliant, not only those with symptoms of COVID-19.

There is currently no expiration date for the Notification of Enforcement Discretion. This is a fluid situation and likely to be a long-term public health emergency. OCR will issue a public notice when the enforcement discretion no longer applies, and that decision will be based on circumstances and facts.

In the guidance OCR explains that telehealth services can be provided from healthcare facilities, including other clinics, offices, and from the home. To protect patient privacy, the services should be provided in a private setting where conversations cannot be overheard. Public locations and semi-public settings should be avoided, unless consent is given by patients or in exigent circumstances. In all cases, safeguards must be implemented to protect against incidental uses and disclosures of patients’ protected health information.

OCR has also provided clarification on the good faith and bad faith provision of telehealth services. The Notification of Enforcement Discretion only applies to good faith provision of telehealth services.

Bad faith provision of telehealth services includes:

  • Use of PHI for criminal purposes or furtherance of a criminal act
  • Uses of PHI transmitted during a telehealth communication for purposes not permitted by the HIPAA Privacy Rule e.g. sale of PHI; use of PHI for marketing purposes without first obtaining authorization
  • Violations of state licensing laws
  • Violations of professional ethical standards that would result in disciplinary action
  • The use of public-facing communications products

Public and Non-public Facing Communications Platforms

The Notification of Enforcement Discretion only applies to the use of non-public facing communications tools. These include HIPAA-compliant communications solutions, Facebook Messenger video, WhatsApp, Apple FaceTime, Skype, Google Hangouts video, and texting facilities within those applications. These non-public facing applications typically use end-to-end encryption, which helps to ensure PHI is not intercepted in transit. These solutions have access controls and give users control over certain aspects of communications, such as recording and muting conversations.

Public-facing communications platforms are not covered by the Notification of Enforcement Discretion and MUST NOT be used. These communications platforms have been developed to allow wide or indiscriminate access and are open to the public. Public-facing platforms include Facebook Live, Twitch, and TikTok, as well as chatroom platforms such as Slack.

You can view the OCR guidance on telehealth and HIPAA during the COVID-19 nationwide public health emergency on this link (PDF).

The post OCR Issues Guidance on Telehealth and HIPAA During Coronavirus Pandemic appeared first on HIPAA Journal.

Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic

There have been several reported cases of cyberattacks on healthcare organizations that are currently working round the clock to ensure patients with COVID-19 receive the medical are they need. These attacks cause major disruption at the best of times, but during the COVID-19 outbreak the attacks have potential to cause even greater harm and place patient safety at risk.

Many phishing campaigns have been detected using COVID-19 as a lure, fear about the 2019 Novel coronavirus is being exploited to deliver malware, and more than 2,000 coronavirus and COVID-19-themed domains have been registered, many of which are expected to be used for malicious purposes.

One of the largest testing laboratories in the Czech Republic, Brno University Hospital, experienced a cyberattack forcing the shutdown of its computer systems. The attack also affected its Children’s Hospital and Maternity hospital and patients had to be re-routed to other medical facilities.

Cyberattacks have also experienced in the United States, with the Champaign-Urbana Public Health District of Illinois suffering a ransomware attack that affected its website, a source of important information for people about the coronavirus pandemic. A DDoS attack was also conducted on the U.S. Department of Health and Human Services.

Some Threat Groups are Stopping Ransomware Attacks on Healthcare Organizations

While the cyberattacks are continuing, it would appear than at least some threat actors have taken the decision not to attack healthcare and medical organizations currently battling to treat patients and deal with the COVID-19 outbreak.

BleepingComputer reached out to several ransomware gangs that have previously conducted attacks on healthcare organizations to find out if they plan on continuing to conduct attacks during the COVID-19 outbreak.

The threat group behind DoppelPaymer ransomware confirmed they do not tend to conduct attacks on hospitals and nursing homes but said if an error is made and a healthcare organization does have files encrypted, they will be decrypted free of charge. That offer has not been extended to pharmaceutical companies. The Maze ransomware gang has similarly stated that all activity against medical organizations will be stopped until the “stabilization of the situation with the virus.”

Cybersecurity Firms Offer Free Ransomware Assistance During Coronavirus Pandemic

Several cybersecurity firms have announced they are offering free support to healthcare providers that experience ransomware attacks during the coronavirus pandemic, including Emsisoft and Awake Security.

Emsisoft helps ransomware victims recover their files when the decryptors provided by the attackers fail. Coveware is an incident response company that helps ransomware victims negotiate with hackers if the decision is taken to pay the ransom. The two firms will be partnering to help hospitals and other healthcare providers recover if they experience a ransomware attack. The services being provided free of charge include a technical analysis of a ransomware attack, the development of a decryption tool, if possible, and negotiation, transaction handing, and recovery assistance. Emsisoft will also develop a custom decryption tool to replace the one provided by the attackers, which will have a greater chance of success and will lower the probability of file loss.

Awake Security has announced that hospitals and other healthcare providers responding to the coronavirus pandemic will be provided with free access to its security platform for 60 days, with the possibility of an extension.

“As more IT and security workers have to operate remotely, we feel strongly that it is our moral duty to ensure the security of the infrastructure they protect,” said Rahul Kashyap, CEO, Awake Security. “We are glad to see many in the security industry step up to tackle this global crisis, and we hope others will join us in the #FightCOVID19 pledge.”

The platform monitors networks and detects threats from non-traditional computing devices, remote users logging in via VPNs, and the core and perimeter networks. The offer also includes free access to its Managed Detection and response solution which provides ongoing threat monitoring, proactive intelligence-driven threat hunting, and access to Awake Security support services.

Akamai is providing 60 days of free access to its Business Continuity Assistance Program, 1-Password has removed its 30-day free trial limit for business accounts, SentinelOne is offering free endpoint protection and endpoint detection until May 16, 2020, and Cyber Risk Aware is providing free COVID-19 phishing tests for businesses to help them prepare the workforce for coronavirus-themed phishing attacks. To support COVID-19-related healthcare communications, TigerConnect has made its secure healthcare communications platform available free of charge in the United States.

The post Cybersecurity Firms Offer Free Assistance to Healthcare Organizations During the Coronavirus Pandemic appeared first on HIPAA Journal.

Webinar Today: Communication Best Practices During a Pandemic

During the 2019 Novel Coronavirus pandemic, instant, immediate, and enterprise-wide communication is essential for slowing the spread of the virus and ensuring service continuity.

Relatively little is known about the Novel Coronavirus and how it is spread. It is a fast-evolving situation and new information is regularly being released by researchers and public health authorities. That information and updates to policies and procedures need to be rapidly communicated across healthcare organizations. It is also important for healthcare professionals to monitor the condition of patients who are self-isolating at home after displaying symptoms of COVID-19.

The 2019 Novel Coronavirus pandemic is placing health systems under a great strain and fast, effective, and efficient internal and external communication is critical.

TigerConnect, the leading secure healthcare communication platform provider, is hosting a webinar where the company’s healthcare communication experts will share communication and collaboration best practices for organizational preparedness, effective response, and service continuity during the 2019 Novel Coronavirus pandemic, and other times of crisis.

During the webinar, TigerConnect will discuss best practices for workflow readiness, how to accelerate internal and external communication, effective broadcasting of important updates to staff and external partners, how patient diagnosis and isolation workflows can be expediated, the best way to prioritize alerts for critical patients, how to ensure staff safety, and the use of text messaging to monitor patients who are self-isolating at home.

The TigerConnect platform has been adopted by more than 6,000 healthcare organizations to collaborate and communicate effectively. One of those healthcare organizations, Singapore Health, is using the TigerConnect platform to improve enterprise-wide communication and coordinate its response to COVID-19 cases. Singapore Health has been commended for the efficiency and effectiveness of its response to the crisis. TigerConnect will be sharing information on the lessons learned to help U.S. healthcare providers deal with the COVID-19 crisis more effectively.

The webinar is being hosted by Dr. Will O’Connor, Chief Medical Information Officer, TigerConnect and Julie Grenuk, Nurse Executive, TigerConnect.

The webinar will consist of a live presentation followed by a Q&A session.

Webinar Details:

Date:     Thursday, March 19th, 2020
Time:     2 p.m. ET / 11 a.m. PT

Click here to register for the free webinar

The post Webinar Today: Communication Best Practices During a Pandemic appeared first on HIPAA Journal.

Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency

In an effort to prevent the spread of the 2019 novel coronavirus, patients suspected of being exposed to the virus and individuals with symptoms of COVID-19 have been told to self-isolate at home. It is essential for contact to be maintained with people at risk, especially seniors and people with disabilities.

Telehealth services, including video calls, can help healthcare professionals assess and treat patients remotely to reduce the risk of transmission of the coronavirus. Telehealth services can also be used to maintain contact with patients who choose not to visit medical facilities due to the risk of exposure to the virus.

On Monday, March 16, 2020, the Trump Administration announced that telehealth services for Medicare beneficiaries have been expanded. Prior to the announcement, doctors were only able to claim payment for telehealth services provided to people living in rural areas and no access to local medical facilities and for patients with established relationships with billing providers.

“We are doing a dramatic expansion of what’s known as telehealth for our 62 million Medicare beneficiaries, who are amongst the most vulnerable to the coronavirus,” explained Seema Verma, administrator of the Centers for Medicare and Medicaid Services (CMS). “Medicare beneficiaries across the nation—no matter where they live—will now be able to receive a wide-range of services via telehealth without ever having to leave home. These services can also be provided in a variety of settings, including nursing homes, hospital outpatient departments, and more.”

Effective March 6, 2020, Medicare will reimburse a wide range of healthcare providers for office and telehealth visits, including nurse practitioners, social workers, and clinical psychologists. Reimbursement will be at the same rate as face-to-face visits.

Relaxation of Enforcement of Noncompliance with HIPAA

Telehealth services are subject to HIPAA regulations. The technology used, such as smartphone and communications platforms, must comply with HIPAA rules and have safeguards in place to ensure the confidentiality, integrity, and availability of ePHI. During a public health emergency such as a disease outbreak the HIPAA Security Rule still applies. Healthcare professionals that provide telehealth services would, under normal circumstances, not be permitted to use certain video conferencing technology such as Facetime or Skype, as the services are not fully compliant with HIPAA.

The HHS’ Office for Civil Rights announced on March 17, 2020 that it is taking a more relaxed position on HIPAA enforcement of noncompliance with certain HIPAA provisions related to telehealth services. “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately,” explained OCR in its Notification of Enforcement Discretion for telehealth.

OCR confirmed that during the coronavirus public health emergency, healthcare providers are permitted to use “any non-public facing remote communication product that is available to communicate with patients,” in connection with good faith provision of telehealth. That enforcement discretion also applies to telehealth services related to the diagnosis and treatment of health conditions unrelated to COVID-19. While enforcement has been relaxed, Verma said “it is still important for covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.”

While OCR does not endorse the use of certain products, it has been suggested that healthcare providers could use Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. Public facing chat and communications platforms such as Facebook Live, Twitch, and TikTok would not be permitted for telehealth purposes.

OCR reminded covered entities that they can obtain greater privacy protections by using HIPAA-compliant video communications solutions and should obtain a signed business associate agreement. Provides of platforms that do sign BAAs and provide a HIPAA compliant service include TigerConnect, Skype for Business, Zoom for Healthcare, Updox and VSee.

“OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency,” explained OCR in its notice. When the public health emergency ends, penalties would apply if a BAA is not in place and communications platforms are used that are not HIPAA compliant.

The post Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency appeared first on HIPAA Journal.

HIPAA Compliance and COVID-19 Coronavirus

HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19 and those suspected of exposure to the 2019 Novel Coronavirus, and with whom information can be shared.

HIPAA Compliance and the COVID-19 Coronavirus Pandemic

There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced.

It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.

When public health emergencies are declared, it is common for the Secretary of the HHS to issue partial HIPAA waivers in affected areas. In such cases, certain provisions of the HIPAA Privacy Rule are waived for a period of 72 hours from the moment a HIPAA-covered entity institutes its disaster protocol. As of March 16, 2020, no HIPAA waivers have been declared by the Secretary of the HHS. Even without a HIPAA waiver, the HIPAA Privacy Rule permits responsible uses and disclosures of patients’ PHI.

OCR released a bulletin about the 2019 Novel Coronavirus in February 2020 confirming how patient information may be shared under the HIPAA Privacy Rule during emergency situations, such as the outbreak of an infectious disease, a summary of which is detailed below.

Permitted Uses and Disclosures of PHI in Emergencies

PHI can be disclosed without first receiving authorization from a patient for treatment purposes, including treating the patient or treating other patients. Disclosures are also permitted for coordinating and managing care, for patient referrals, and consultations with other healthcare professionals.

With a disease such as COVID-19, it is essential for public health authorities to be notified as they will need information in order to ensure public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for ensuring the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases, PHI may be shared without obtaining authorization from a patient.

Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to a specific person or the public in general, provided that such disclosures are permitted by other laws. Such disclosures do not require permission from a patient. In such cases, these disclosures are left to the discretion and professional judgement of healthcare professionals about the nature and the severity of the threat.

Disclosures of Information to Individuals Involved in a Patient’s Care

The HIPAA Privacy Rule permits disclosures of PHI to individuals involved in the care of a patient such as friends, family members, caregivers, and other individuals that have been identified by the patient.

HIPAA covered entities are also permitted to share patient information in order to identify, locate, and notify family members, guardians, and other individuals responsible for the patient’s care, about the patient’s location, general condition, or death. That includes sharing information with law enforcement, the press, or even the public at large.

In such cases, verbal permission should be obtained from the patient prior to the disclosure. A healthcare professional must otherwise be able to reasonably infer, using professional judgement, that the patient does not object to a disclosure that is determined to be in the best interest of the patient.

Information may also be shared with disaster relief organizations that are authorized by law or charters to assist in disaster relief efforts, such as for coordinating the notification of family members or other persons involved in the patient’s care about the location of a patient, their status, or death.

The HIPAA Minimum Necessary Standard Applies

Aside from disclosures by healthcare providers for the purpose of providing treatment, the ‘minimum necessary’ standard applies. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.

When information is requested by a public health authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, when that reliance is reasonable under the circumstances.

Disclosures About COVID-19 Patients to the Media

HIPAA does not apply to disclosures by the media about infections, but HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such cases, the HIPAA-covered entity or business associate can provide limited information if a request is made about a patient by name. The information disclosed should be limited to the general condition of the named patient and their location in the facility, provided the disclosure is consistent with the patient’s wishes. The status of the patient should be described in terms such as undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased.

All other information may not be disclosed to the media or any individual not involved in the care of a patient without first obtaining written consent from the patient in question.

Disclosures of Information About COVID-19 by Non-HIPAA Covered Entities

It is worth noting that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. There are no restrictions on disclosures of information about the 2019 Novel Coronavirus and COVID-19 by other entities; however, while HIPAA may not apply, other federal and state laws may do.

HIPAA would therefore not apply when an employee tells an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would apply if an employer is informed about an employee testing positive, if the employer is notified about the positive test by the employer’s health plan.

Further Information on HIPAA Compliance and the COVID-19 Coronavirus Pandemic

In response to this emergency, HIPAA Journal has worked with Compliancy Group to set up a free hotline for any questions you have related to the response to HIPAA compliance during coronavirus crisis: (800) 231-4096

Background Information on the SARS-CoV-2 Pandemic and COVID-19

The 2019 Novel Coronavirus has been named Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) and causes Coronavirus Disease 2019 (COVID-19). The virus was first identified in November and originated in Wuhan, in the Hubei province of China. The Chinese government took steps to control the spread of the virus, but it was not possible to contain, and it spread around globe.

The World Health Organization (WHO) declared the outbreak a public health emergency of international concern on January 30, 2020. Following the WHO declaration, HHS Secretary Alex Azar declared the SARS-CoV-2 outbreak a public health emergency for the United States. WHO declared the outbreak a pandemic on March 11, 2020 and on March 13, 2020, President Trump declared COVID-19 a national emergency.

SARS-CoV-2 is highly infectious, and COVID-19 has a high mortality rate. The mortality rate is difficult to determine many people infected with SARS-CoV-2 only have relatively mild symptoms and do not seek medical help. Testing has been erratic initially in many locations and tests have been in short supply. Based on the limited data available, the mortality rate ranges from less than 1% to 7%. In early March, WHO estimated a mortality rate of 3.4%; however, the data on which these figures are based may be inaccurate and this is an evolving situation.

One of the main factors that has contributed to the rapid spread of SARS-CoV-2 is the long incubation period before symptoms are experienced, during which time infected individuals can spread the virus. It can take up to 14 days before infected individuals start displaying symptoms. The median incubation time is 10 days.

This is a rapidly changing situation that is likely to get considerably worse until the spread of the disease can be curbed. In the absence of a vaccine to provide protection, steps need to be taken by the entire population to limit exposure and prevent the spread of the disease.

There has been significant progress towards a vaccine in a short space of time. Some pharma firms having already developed potential vaccines, but they now need to be tested for safety on humans in clinical trials. Even if the process can be fast tracked, it is unlikely that a vaccine will be available before 2021.

The post HIPAA Compliance and COVID-19 Coronavirus appeared first on HIPAA Journal.

TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic

TigerConnect, the provider of the most widely used secure healthcare communications platform in the United States, has announced that U.S. health systems and hospitals can use its platform free of charge to help support COVID-19 related communications during the novel coronavirus pandemic.

TigerConnect has been tracking COVID-19 and the impact it is having on the U.S. healthcare system. Unsurprisingly given the rapid spread of the virus, use of its secure communications platform has surged. The company also reports that it is receiving an increasing number of calls from customers looking to expand licenses to make sure all staff have access to the platform to expedite internal and external communication and support isolation workflows.

The TigerConnect platform can be used to create dedicated channels for COVID-19 communications to provide support for patients and staff members. The platform ensures instant and immediate communication of preparedness plans, staff schedules, guidelines on infection control and isolation protocols, and other critical information. Users of the platform can contact any person within a healthcare system instantly, without knowing their number or extension.

“As part of the healthcare community, we harbor a sense of duty to do everything we can to keep the flow of information moving as quickly as possible,” explained TigerConnect. “This is the time to remove any barriers that might keep organizations from having every tool they need to fight COVID-19.”

Hospitals and health systems that have not yet adopted the TigerConnect platform are being offered complimentary use of the TigerConnect secure texting network for up to 6 months to support COVID-19 communications. Existing customers will be provided with complimentary expansion of TigerText Essentials licenses for up to 6 months. TigerConnect has also announced that it will be extending support hours and publishing resources and conducting webinars to help current and new users of the platform optimize communications.

As has been seen in Europe, which is now the epicenter of the COVID-19 pandemic, hospitals and health systems are stretched and struggling to cope with the number of cases. Immediate, enterprise-wide communication is critical for preventing the spread of the disease.

In Singapore, stringent measures have been implemented to prevent the spread of the novel coronavirus. As of March 14, there have been 200 cases of COVID-19 in Singapore but no COVID-19 deaths. Coordinating the response to COVID-19 and ensuring resources are correctly allocated has been a major challenge, but one that has been helped by having an efficient communications system in place. 55,000 healthcare professionals in Singapore are using the TigerConnect platform and usage has increased fivefold in the past three weeks. Being prepared and having the systems in place to deal with outbreaks of disease that support fast and efficient communication has been invaluable.

“It is clear that identifying new cases quickly and sharing that information among key stakeholders is crucial to containment and treatment,” explained TigerConnect co-founder and CEO, Brad Brooks. “Our mission is to help organizations remove the barriers that might slow down those responses as we continue to partner with the organizations on the front lines of this crisis.”

The post TigerConnect Secure Communications Platform Offered to Hospitals Free of Charge During COVID-19 Pandemic appeared first on HIPAA Journal.

HSCC Publishes Best Practices for Cyber Threat Information Sharing

The Healthcare and Public Health Sector Coordinating Council (HSCC) has published best practices for cyber threat information sharing. The new guidance document is intended to help healthcare organizations develop, implement, and maintain a successful cyber threat information sharing program to reduce cyber risk.

The new document builds on previously published guidance – the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO) – in which HSCC identified key Information Sharing and Analysis Organizations (ISAOs) for the healthcare sector. The latest guidance document helps organizations determine what information to share, how to share the information, and how to protect any sensitive information they receive, as well as providing best practices for obtaining internal and legal approvals for information sharing processes.

One of the main benefits of participating in these programs is to learn about possible attacks and the mitigations to implement to avoid becoming a victim. If an attack occurs at one healthcare organization, it is probable that similar attacks will be performed on others. Through threat information sharing, healthcare organizations can learn from others about attacks and mitigations so they can prepare and improve their own security posture. This is especially important for healthcare organizations with limited resources to devote to cybersecurity as it allows them to crowd source cybersecurity expertise.

The threat landscape evolves at a rapid pace and new attack methods are constantly being developed by cybercriminals. Cyber threat intelligence sharing programs help participants keep abreast of new attack methods and take steps to reduce risk through rapid sharing of actionable intelligence. Cross-organizational collaboration also helps to improve patient safety through the development of trusted networks that help manage potential threats.

The guidance document helps organizations get started by outlining the steps that need to be taken to prepare before joining a threat information sharing program. Preparation requires information sharing goals and objectives to be established, as well as governance models for regulatory compliance. Information sharing assets must be categorized, a governance body must be created, and sanitization rules must be established. HSCC recommends involving the legal department early in the information sharing process and making sure the value and scope of information sharing is understood.

The HSCC cyber threat information sharing guidance details the types of information that should be shared, such as strategic, tactical, operational, and technical intelligence, as well as open source data and incident response information. “While some may believe that threat intelligence only includes information about malware, hacking techniques, and threat actors – threat intelligence data truly comes in a variety of forms and should encompass all cyber risk that could impact the health industry, such as third-party risks, insider threats, cybersecurity risks, regulatory risks, and geopolitical risks,” explained HSCC.

The guidance also details best practices for sharing information, such as using the traffic light protocol and ensuring legal protections are in place to protect against any liability, and also provides advice on who to share threat data with. The document concludes with case studies showing how information can be shared to benefit the information sharing community and protect against attacks.

The HSCC best practices for cyber threat information sharing can be downloaded on this link.

The post HSCC Publishes Best Practices for Cyber Threat Information Sharing appeared first on HIPAA Journal.