On Thursday, May 14, 2020 Veoci conducted a webinar led by Veoci’s Jennifer McTiernan, General Counsel, and Nathaniel Ellis, Co-founder and Director of Strategic Solutions. Together, the two discussed how enforcement of HIPAA has been affected by the COVID-19 pandemic and how Veoci’s solutions can help organizations with the changing landscape. Nothing in this webinar should be interpreted as legal advice, nor is it a substitute for legal advice.
This webinar was originally recorded on Thursday, May 14th, 2020. If you’d like to see the recording of the webinar, click here.
The Basics of HIPAA and COVID-19
HIPAA regulates the use and disclosure of protected health information (PHI). This regulatory framework was designed to be balanced and flexible, so that it could ensure privacy while also meeting the needs of public health emergencies. In response to COVID-19, the Office of Civil Rights (OCR) in the U.S. Department of Health and Human Services began issuing guidance and notifications related to changes to HIPAA enforcement and other reminders related to the pandemic. Since February, OCR has issued the following:
- February Bulletin on HIPAA and COVID-19
†- Notification of Enforcement Discretion on Telehealth Remote Communications and Guidance on Telehealth Remote Communications
†- Guidance on Disclosures to Law Enforcement, Paramedics, Other First Responders, and Health Authorities
†- Notification of Enforcement Discretion on Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities
†- Notification of Enforcement Discretion Regarding COVID-19 Community Based Testing Sites
Telehealth Remote Communications
The Notification of Enforcement Discretion on Telehealth Remote Communications and Guidance on Telehealth Remote Communications provided notice that the Office of Civil Rights will not impose HIPAA penalties against covered health care providers for noncompliance in connection with the good faith provision of telehealth using remote communication technologies.
This notification is not limited to telehealth meant to treat COVID-19. It applies to any healthcare provider treating patients on non-public facing communication apps, such as FaceTime, Zoom, or Skype. It does not extend to public-facing communication apps like Facebook Live.
The goal of this notification is to make it easy for people to access the healthcare they need remotely during the COVID-19 pandemic. For more information, read additional guidance on telehealth from the Office of Civil Rights.
Disclosures to First Responders
The Guidance on Disclosures to Law Enforcement, Paramedics, Other First Responders, and Public Health Authorities offers guidance on existing HIPAA Privacy Rule permissions and provides examples of when a covered entity may disclose PHI about individuals without their HIPAA authorization.
This is designed to ensure that first responders and public health officials can get the information they need to perform their duties and ensure the safety of themselves and others. Situations in which they can disclose public health information include:
- When the disclosure is needed to provide treatment
†- When the disclosure is required by local, state, or federal law
†- To notify a public health authority to prevent or control the spread of disease
†- When first responders may be at risk of infection
†- To prevent or lessen a serious or imminent threat
It is also crucial disclosures made under this guidance meet the minimum necessary standard.
Uses and Disclosures of PHI by Business Associates
The Notification of Enforcement Discretion on Uses and Disclosures of PHI by Business Associates for Public Health and Health Oversight Activities aims to protect covered healthcare providers or their business associates for good faith uses and disclosures of PHI for public health and health oversight activities.
The HIPAA privacy rule already permits covered entities to provide this data, and now business associates are also permitted to share this data without risk of a HIPAA penalty, assuming good faith.
The aim behind this is to support federal public health authorities and health oversight agencies, state and local health departments, and state emergency operations centers who need access to COVID-19 related data, including PHI, that business associates may be uniquely positioned to provide.
Community-Based Testing Sites
The Notification of Enforcement Discretion Regarding COVID-19 Community-Based Testing Sites states that the Office of Civil Rights will not impose HIPAA penalties against covered healthcare providers and their business associates in connection with the good faith participation in the operation of a community-based testing site during the COVID-19 pandemic.
Testing sites are crucial at this point in time, and public health authorities don’t want to dissuade community-based testing sites from operating due to a fear of violating HIPAA regulations. Of course, reasonable safeguards to protect PHI are encouraged.
HIPAA and Veoci Solutions
Nathaniel’s portion of the webinar focused on Veoci’s solution for contact tracing and how the platform can help organizations protect data. The contact tracing solution has already been developed and is used by multiple Veoci customers.
This solution is a good example of how Veoci can help you comply with HIPAA and report data to necessary stakeholders when it involves pulling in public health information and that information is being collected by a community of people, which might include volunteers.
There are numerous precautions you can take within Veoci to make sure your data is protected, such as locking down data and only sharing the minimum necessary information.
Logging into Veoci you’ll see customizable security settings right off the bat. There is a multi-factor authentication system integration for usernames and passwords. There are also restrictions that can be placed on how complicated passwords need to be and how often they need to be reset.
Once logged into Veoci, each user will only see the information that is necessary for them to perform their duties. Security permissions can also be managed through lists; you can grant or deny access to lists of people with the click of a button.
The data collection process also has security measures built in. Information can be gathered into various sections; certain sections or blocks of information can be made available to specific parties. Information that has already been gathered can also be hidden to the person doing follow-up communications.
This data collection process in Veoci allows you to collect information that is highly specific, but then control who can see or edit this information later on.
For example, each individual viewer or contact tracer can only see the calls that they’re going to make. They don’t have access to anyone else’s lists or information. The information on each contact can’t be viewed straight from the Dashboard. A user would have to click into each individual contact to see their information.
As another example, once you’ve collected this sensitive information you may need to alert people to follow-up on it. An alert can be sent that a high priority case has been submitted, but there will be no detail in the notification – just a link taking them to the contact. They can only view the link if they have access to that particular record to see the information and follow-up.
Security and Technology
Even with relaxed enforcement of some HIPAA rules for the time being, it remains important for organizations to protect their data and ensure current and future HIPAA compliance. Technology platforms like Veoci can help organizations achieve this by providing critical safeguards and security measures.