Medicare Compliance & Reimbursement

Privacy requirements still matter in a pandemic.

If you turn on the news these days, you’ll likely see report after report of patients and providers battling COVID-19. Unfortunately, the ramped-up media presence in facilities across the nation has led to concerns that covered entities (CEs) are putting HIPAA privacy on the backburner — and that’s not OK.

Update: On May 5, the HHS Office for Civil Rights (OCR) doubled down with a HIPAA Privacy Rule update to remind CEs that their first priority is to safeguard patients’ protected health information (PHI). In a nutshell, CEs must ensure authorization is in place prior to allowing the media into facilities to film patients during the pandemic.

“Even during the current COVID-19 public health emergency [PHE], covered healthcare providers are still required to obtain a valid HIPAA authorization from each patient whose PHI will be accessible to the media before the media is given access to that PHI,” warns OCR in a release. “The guidance clarifies that masking or obscuring patients’ faces or identifying information before broadcasting a recording of a patient is not sufficient, as a valid HIPAA authorization is still required before giving the media such access.”

‘Consent’ and ‘Authorization’ Are Not the Same

Simply put, patients agree to allow providers to treat them, and that registers usually as verbal consent. Moreover, CEs “voluntarily” procure this patient consent, so they can use and disclose PHI for “treatment, payment, and healthcare operations,” OCR guidance maintains.

On the other hand, authorization is something completely different and refers to a written record obtained by the CE from the patient, allowing PHI to be used for different purposes. This is usually necessary because PHI is being utilized or disclosed for something that isn’t typically sanctioned under the Privacy Rule. In this case, “voluntary consent is not sufficient to permit a use or disclosure” of PHI, so a valid authorization is required, OCR clarifies.

See the Feds’ Reasoning for Extra Guidance

OCR has announced several notifications of HIPAA enforcement discretion to ease restrictions due to COVID-19. However, just because the feds offer CEs and their business associates (BAs) some regulatory relief with these good faith provisions for HIPAA noncompliance doesn’t mean that the rules don’t apply to the majority of healthcare scenarios.

With an increased media presence in many facilities, the chance for patients’ PHI to be exposed or hijacked is high. That’s why OCR felt it necessary to revisit HIPAA’s authorization requirements as a protection for both patients and providers.

“HHS’ guidance provides several examples of PHI in treatment areas, including how the mere presence of a patient in the area of a healthcare facility dedicated to treating a specific disease, such as COVID-19, reveals the patient’s diagnosis,” explain New York-based attorneys Victoria Anderson and Francisco Cebada with Kelley Drye & Warren LLP in online legal analysis. “As such, members of the media entering a healthcare facility’s treatment areas immediately have access to PHI they can see, hear, and record.”

Caution: According to the HIPAA Privacy Rule, it’s never acceptable “to give the media, including film crews, access to any areas of their facilities where patients’ PHI will be accessible in any form (e.g., written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each patient whose PHI would be accessible to the media,” notes the new OCR guidance. Plus, a HIPAA authorization should never be a condition of whether or not a patient receives treatment, the agency stresses.

Additionally, OCR reminds providers that mask-wearing does not equate HIPAA compliance and is not something the agency considers a safeguard. However, the update does offer some examples of what OCR considers security measures to go hand-in-hand with signed authorization forms. Those include:

• Privacy screens that obscure easy-to-see PHI on computers, monitors, medical equipment, and other technical or medical devices.
• “Opaque barriers” between areas — especially around patients without signed authorization documents.

“The last thing hospital patients need to worry about during the COVID-19 crisis is a film crew walking around their bed shooting ‘B-roll,’” said OCR Director Roger Severino, in a release. “Hospitals and healthcare providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it,” Severino cautioned.

Tip: Though your organization may be in crisis mode right now, consider reviewing regulations with your staff. It’s a good idea to check the OCR website daily for COVID-19 changes while reviewing the basics of data sharing, compliance, and HIPAA to ensure you are in line with the recent updates.

“Healthcare providers that permit filming without taking appropriate privacy measures may be televising costly HIPAA compliance failures to a watchful HHS,” warn Anderson and Cebada.

Resource: Find OCR’s updated guidance at www.hhs.gov/sites/default/files/guidance-on-media-and-film-crews-access-to-phi.pdf.

Add ‘Core Elements’ to HIPAA Authorization Forms

There’s some wiggle room on how you write up your HIPAA compliance plan, but you don’t want to wiggle yourself into a violation

Though you do have some leeway on the scope and design of your authorization forms, the feds do require some standards in your documents to make them legally valid.

Details: Under the HIPAA Privacy Rule, CEs are allowed to use protected health information (PHI) for treatment purposes without patients’ prior authorization. However, if CEs want to use or disclose patients’ data for things as varied as marketing, social media, news reports, and more to third parties, they must have a signed authorization form on file.

There are “core elements” that your authorization form must include to make it valid under the law, indicates an HHS Office for Civil Rights (OCR) decision tool. The HIPAA Privacy Rule mandates the following:

• A specific description of the PHI to be used or disclosed.
• The names of the person or organization authorized to make the disclosure of the PHI.
• The names of the third parties receiving the information.
• A description of each purpose or reason for the use or disclosure of the data.
• An expiration date or event end date related to the data sharing.
• The individual’s signature, whose PHI is being used or disclosed, or their representatives’ signatures with the signing date.

Resource: See more advice on authorizations at www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/authorization/index.html.