What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
What is Protected Health Information (PHI)?
Protected Health Information means Individually Identifiable Health Information, which means information that is a subset of health information, including demographic information, collected from an individual, and:
- Is created or received by a health care provider, health plan, employer or health care clearing house, and
- Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual, and
- That identifies the individual, or
- With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
HIPAA Changes in 2020 Due to the COVID-19 Pandemic
The COVID-19 pandemic has not resulted in any permanent changes to HIPAA, but it has seen
unprecedented flexibilities introduced on a temporary basis to make it easier for healthcare providers and business associates to treat and advise patients on the front line in the fight against COVID-19.
During emergency situations such as disease outbreaks, HIPAA Rules remain in effect and the requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule remain unchanged. However, enforcement of compliance may be eased.
Good Faith Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency
The Notice of Enforcement Discretion in relation to COVID-19 was announced by The Office of Civil Rights (OCR) on March 17, 2020 and concerns the good faith provision of telehealth services.
- The Office of Civil Rights (OCR) is waiving potential penalties for HIPAA violations by healthcare providers that provide virtual care to patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
This means healthcare providers are permitted to use everyday communications tools to provide telehealth services to patients, even if those tools would not normally be considered fully HIPAA compliant.
- Individual sessions on platforms such as FaceTime, Skype, Zoom, and Google Hangouts video can be used in the good faith provision of telehealth services for patient consultations without penalty for the duration of the public health emergency. However, public-facing platforms such as TikTok and Facebook Live must not be used.
- On April 2, 2020, The Office of Civil Rights (OCR) announced it will be exercising
enforcement discretion and will not impose sanctions and penalties on business
associates of HIPAA covered entities for uses and disclosures of PHI for public health and health oversight activities.
For any further questions, please contact datasecurity@luc.edu.
Participation in the Operation of Community-Based Testing Sites (CBTS) During the COVID-19 Nationwide Public Health Emergency
On April 9, 2020, The Office of Civil Rights (OCR) announced it will be exercising enforcement discretion for noncompliance with HIPAA Rules in relation to the good faith participation in the operation of COVID-19 testing sites, and will refrain from imposing sanctions and penalties on covered entities and business associates at these drive through, walk-up, and mobile sites.
- The Notice of Enforcement Discretion covers the operation of these sites and all activities that support the collection of specimens from individuals for COVID-19 testing only. While penalties will not be applied, “The Office of Civil Rights (OCR) encourages covered health care providers participating in the good faith operation of a Community-Based Testing Sites (CBTS) to implement reasonable safeguards to protect the privacy and security of individuals’ PHI.”
The Notice of Enforcement Discretion is retroactive to March 13, 2020.