In a recent panel discussion with Adam Greene, partner at Davis Wright Tremaine and a former regulator at HHS, and Richard Chapman, Chief Privacy Officer at UK HealthCare, we discussed the implications and effect of the waivers on healthcare in general and on the exploding use of telehealth. In a recent blog, we shared their perspectives on the sticky questions surrounding COVID-19 privacy, including reporting to public health authorities or the media.
The live panel discussion also covered OCR announcements regarding release of health information to first responders and privacy requirements in community-based COVID testing sites. In this blog, we’ll look at the questions raised by those announcements.
Protecting Privacy and First Responders
On March 24th, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that HIPAA covered entities would temporarily be allowed to disclose protected health information (PHI) about a person who has been infected with or exposed to COVID-19 to first responders, including law enforcement, firefighters, and paramedics.
In the OCR press release, OCR Director Roger Severino noted that the intent is to keep first responders safe during the pandemic, when their services are especially critical.
“This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe.”
But if reporting COVID statistics raises HIPAA compliance questions, the prospect of releasing actual patient names and addresses raises even more. Adam Greene says he has fielded a number of questions from first responders about this announcement.
“Medical first responders may not have adequate supplies of personal protective equipment (PPE). And even if they do, they may still have concerns about being infected, so they want to know if they’re going into someone’s house who might be COVID-19 positive. The law enforcement officials that I talked to had the same concerns, and they didn’t have PPE.”
Meanwhile, Greene has fielded questions from healthcare providers worried about how to meet first responder requests.
“One provider said their local law enforcement wanted reports of every COVID-19 patient who had been through the hospital or health system, on the possibility they would be called to that person’s house. That gets into the ‘serious and imminent’ question.”
[Ed note: HIPAA allows for disclosure of PHI when there is a serious and imminent threat to another person.]
“Fortunately, OCR had provided guidance. If law enforcement or first responders have been exposed, they can be told. In other cases, there is some serious navigating required. For example, the dispatch center might be able to have a list of COVID-19 patients, but they could only disclose names to first responders on an as-needed basis, say, if they were called to a patient’s address.”
Richard Chapman felt fortunate that his privacy team didn’t have to deal with the first responder issues directly.
“We get patients from a number of first responder companies and from multiple counties. So, we already were working on infection preventions with local health departments and using guidance from the February 20th HHS announcements. We were following OCR guidance in good faith to help prevent further spread of the virus. But we also didn’t interpret this to mean we were going to hand over patient lists proactively. I did get some questions related to being more proactive with disclosures. We kept coming back to, ‘HIPAA’s not suspended. We still have certain principles we’re expected to follow.’ But we did rely on local health departments to help us with contact tracing.”
HIPAA Compliance and Community-Based Testing
On April 9th, the OCR announced it would not impose penalties for HIPAA violations related to good faith operation of COVID-19 testing sites during the nationwide public health emergency. Testing has been cited by a number of experts as a critical tool for ending lockdowns while keeping new COVID cases in check.
The agency’s announcement said the enforcement discretion is meant to support specific types of healthcare providers, including some large pharmacy chains, and their business associates that may choose to operate “mobile, drive-through, or walk-up sites that only provide COVID-19 specimen collection or testing services to the public.”
Adam Greene suspects that the intent of this announcement is twofold. One consideration is purely practical:
“Community-based testing is an interesting concept. For example, when people donate at a community blood drive in a school auditorium, it’s hard to enforce privacy. There are probably the same challenges in a community testing site. We don’t want the perfect to be the enemy of what’s needed in this pandemic.”
The other intent may be to facilitate reporting.
“The mention of BAs makes me think they had a specific type of vendor in mind. Maybe an EMR vendor of a covered entity is sitting on testing data that could be very useful in this situation. Before this, without a BA agreement that made an exception for public health, BAs could not disclose to public health authorities. This could help them.”
Chapman agrees that community testing poses some privacy challenges, and says his team has worked to define “good faith” privacy practices for UK Healthcare’s staff and patients.
“Drive-through testing was tough, since some of our normal privacy and security protocols don’t exist in that environment. We wanted to market the service to our community, but we knew that patients were in plain sight in their cars. It took some marketing and communications to get out to staff, patients, and the media that photos and other activities weren’t permitted at drive-through testing sites.”
Proceed with Caution
While OCR has offered a good amount of guidance on its temporary waivers during this national health emergency, Adam Greene advises that every privacy team consider carefully when, why, and how far to go in relaxing privacy practices during the pandemic.
“These temporary waivers from OCR don’t change contract obligations for privacy protection, nor are they a guarantee that state Attorneys General won’t take action based on state privacy laws.”
As both Greene and Chapman noted, eventually the COVID crisis will end, and healthcare providers may be called to account for the decisions made now. We’ll talk more about how to prepare for post-COVID privacy enforcement in an upcoming blog.
If you want to attend upcoming online sessions, receive new content, and network with colleagues about privacy challenges, you join the Privacy Collective.