hipaa and corona privacy
As the spread of the coronavirus seems to be slowing, many people are preparing to get back to life as usual.
Consumers are anxiously awaiting the reopening of the country, with some states further along than others. The goal is to safely reopen retail stores, restaurants, and theme parks.
This has led some of these establishments to require proof of negative COVID-19 test results, causing many consumers to cry HIPAA violation. Is this a HIPAA violation? HIPAA and coronavirus privacy is discussed below.
HIPAA and Coronavirus Privacy
The coronavirus pandemic has caused many businesses to reevaluate how well they are protecting consumers.
Many businesses have increased cleaning protocols to prevent the spread of the virus, as well as implemented new standards for consumers entering the establishments.
Several businesses are requiring employees and consumers to wear masks, are conducting temperature checks on anyone entering the business, and requiring proof of negative COVID-19 test results. These new requirements have many consumers concerned that their privacy rights under HIPAA are being violated.
HIPAA established industry standards for the privacy of protected health information (PHI). Under HIPAA, coronavirus test results are considered PHI. As PHI, covered entities and business associates cannot disclose a patient’s coronavirus test results outside of treatment, payment, or healthcare operations.
But what about during a global pandemic? These entities are permitted to disclose coronavirus test results to public health authorities for the purpose of public safety.
This is to notify people who may have come into contact with a coronavirus positive patient. However, disclosed information must only be the minimum necessary information to accomplish the purpose of the disclosure.
Can Consumer Businesses Ask Patrons for Test Results?
Consumer businesses such as retail stores, restaurants, and theme parks are neither covered entities nor business associates. Since they are neither covered entities or business associates, these establishments do not fall under the jurisdiction of HIPAA law.
As such, they can ask patrons for proof of negative COVID-19 test results, without fear of violating HIPAA, before they are permitted entry to these establishments.
Source: compliancy-group.com
The declaration of COVID19 as a pandemic and the United States declaring a national emergency to help contain and enhance treatment access have resulted in a number of changes to ease potential regulatory burdens or barriers in healthcare.
Like so much happening as a result of the pandemic, the changes have the potential to fundamentally change the healthcare industry not just during the time of the emergency declaration.
Of particular note are coordinated announcements from various agencies within the federal Department of Health and Human Services connected to the provision of telehealth services. The advancement and relaxation of regulations are designed to increase access to telehealth services and make it easier to deliver the services.
The scope of telehealth services now available, as explained by the Centers for Medicare and Medicaid Services (CMS), can be broken into three main categories: (i) telehealth visits, (ii) virtual check-ins, and (iii) e-visits.
Telehealth Visits – For purposes of Medicare, a telehealth visit is between a patient and a clinician that uses interactive audio and video. The visits generally cover visits that could otherwise occur in person. As such, the telehealth visit is being structured as a replacement for an office visit for the time being.
The telecommunication platform must provide real-time communication between the patient and the clinician. CMS will also turn a blind eye to the established patient requirement, which essentially means a telehealth visit can occur with both new and established patients.
Additionally, a patient will be permitted to receive telehealth services while in their home, which reinforces the goal of maintaining social distancing.
Virtual Check-Ins – A virtual check-in is meant to be a brief discussion between a clinician and a patient, which can be audio-only. Further, CMS expects that in most instances the patient will be the one to initiate a check-in. The check-in cannot be related to an office visit from the previous 7 days or lead to a full visit within 24 hours after the check-in. Additionally, the patient must verbally agree to the check-in. Lastly, check-in is only billable for an established patient, which follows from the description of the service as being focused on a quick interaction between a patient and their clinician.
E-Visit – An e-visit is similar to a virtual check-in, but must be patient-initiated and is expected to occur through the patient portal. Further, the service can cover up to a 7 day period between the communication initiated by the patient and interactions with the clinician. Before being able to bill for the e-visit, the patient must be established with the clinician and made aware of the fact that reimbursement will be sought for the services.
On top of opening up the scope and ability to provide telehealth based visits, a bigger change is to reimburse the telehealth visits at the same level as in-person visits.
Arguably, one of the primary barriers to telehealth adoption up until this point has been a lack of or lower reimbursement.
The incentivization of patient interactions through telehealth means not only with healthcare organizations potentially be able to somewhat mitigate the financial fallout from telling patients to remain home, but gives a good alternative that could stabilize access.
Stabilizing access is important since reducing non-emergent issues cannot be put off indefinitely.
Along with trying to provide some financial relief to healthcare organizations enabling telehealth, the Office for the Inspector General (OIG) issued a policy statement acknowledging that patients may also be facing financial constraints. In particular, patients may not be able to afford all cost-sharing amounts. Accordingly, the OIG stated it will not pursue fraud-based enforcement actions if cost-sharing amounts are waived or reduced during the emergency period.
Such a statement is necessary because widely waiving or reducing cost-sharing can be viewed as an inducement to patients that in turn encourages the patients to obtain services from that clinician, which in turn allows for more billing to government healthcare programs.
It is a bit convoluted, but the bottom line is that such a chain of events is not generally permissible and is set out as a form of fraud. While the OIG does explicitly, and not unsurprisingly, reserve the right to change this policy statement at any time, a reversal would not be expected in light of the clearly extraordinary circumstances that currently exist.
The last major action to open up access on the telehealth front is a notification from the Office for Civil Rights (OCR) that it will not enforce HIPAA violations for the good faith provision of telehealth services during the course of the emergency. Good faith effort means still using a non-public service, but that can include general use applications, with FaceTime, Google Hangouts, Facebook messenger and Skype specifically called out.
The implication is that none of these services would have been viewed as acceptable under HIPAA in normal times by OCR, which could end up being useful guidance once the emergency ends. The statement that services need to be non-public is contrasted with examples of public-facing services, which are identified to include Facebook Live, Twitch, and TikTok.
At the same time that OCR gives tacit permission to use general services, the last section of its announcement is to implicitly suggest that it would still prefer the use of services that do meet HIPAA standards.
An exemplary list is provided of services that satisfy HIPAA requirements and ensure greater privacy. Some solutions have expressed a willingness to provide free access for at least some period of time during the emergency, which can mitigate concerns about cost. Given those factors, it seems a safer course for all would be to seek the use of a fully private and secure service
.
A question left unasked and unanswered in the statement is what happens when the emergency ends. Once the privacy cat is let out of the bag, it cannot be put back in.
That means patient data hosted or stored in a non-HIPAA compliant platform could end up being used for a number of unexpected or non-desirable purposes. Understanding that it is important essential to ensure a comprehensive ability to provide needed services to patients during this emergency, awareness of longer-term consequences cannot be completely ignored. Especially when immediacy does not need to be sacrificed to those considerations.
AD One final consideration that is left wholly unaddressed by the changes: what about malpractice protection? Not all professional liability policies will automatically cover services provided by telehealth. Physicians, clinicians, and organizations will need to assess coverage unless some sort of liability waiver is also introduced. As always, healthcare has multiple layers of complications and considerations.
The extraordinary nature of these times is completely unavoidable and cannot be stated often enough.
The potential threat to the health of everyone is very real, but doors are being thrown wide open to help mitigate those dangers. Once the current emergency passes, it can only be hoped that the system has been transformed in better ways permanently.
Lire l'article complet sur : hitconsultant.net