By Linda Kloss

In the midst of the COVID-19 pandemic, HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina taught us powerful lessons about rapid adaptation and change. Over the past month, we shared their insights in two webinars and three blogs. This fourth blog, addresses the privacy and security of protected health information (PHI) as health systems lock down to protect staff, patients, and visitors. This public health emergency requires facilitating the flow of information while preserving essential privacy protections and stepping up security; a difficult balancing act in the best of times.

The Office for Civil Rights (OCR) acted quickly to issue guidance for covered entities and business associates waiving penalties and sanctions and exercising its enforcement discretion regarding certain good faith disclosures of PHI. For covered entities, these focused on helping family members get information on their loved one’s even as they were blocked from in-person visits.  For example, staff involved in the individuals care may speak with an involved family member or friend without the patient’s express agreement; the Notice of Privacy Practices need not be distributed; patient rights regarding opting out of a facility directory and requesting restricted communication of certain PHI may be temporarily set aside.

Under ordinary circumstances, when federal and local public health and public safety officials seek PHI from business associates, the disclosure may be prohibited unless explicitly authorized in the business associate agreement. The OCR enforcement discretion removes this barrier, providing the business associate can show good faith use of the disclosed information for public health or health oversight and informs the covered entity. These OCR actions are relatively narrow in their focus.  They do not, for example, relax other obligations such as breach notification.

Our panel of HIM leaders acknowledge that these temporary relaxations are helpful and are used as a backstop. The default is to fully comply with HIPAA, but when this is not possible, these temporary modifications allow staff to proceed without undue worry. They remove barriers to acting quickly.

Our panelists point to areas not covered by OCR modifications for which workarounds have had to be put in place:

    • The increase in requests by phone and the need for reasonable authentication of the identity of requestors.
    • Accumulating mail in closed medical practices and the potential difficulty to process requests on a timely basis.
    • Up to date and accurate authorization for access to EMR data by new healthcare workers from outside the system who have been quickly pressed into service.

As each health system finds ways to deal with these and other privacy challenges, the watchword continues to be good faith efforts to protect PHI as fully as possible from unauthorized access and disclosure.

An unfortunate truism of life in the digital age is that the bad actors attack when we are most vulnerable. Health care is experiencing a sharp increase in cyberattacks, ransomware, and phishing incidents. Working with PHI, access and disclosure is a high security risk activity. Our panel discussed the following steps:

    • Tighten the security of the work from home platform. The transition may have been made quickly and the platform may not need to be hardened.
    • The environment in the home may not be secure due to space limitations. Each situation should be assessed to ensure that PHI is protected.
    • Keep security front and center in routine communications and staff conferences. Include security staff and examples to underscore the need to check before clicking.

Let me once again thank the HIM leaders who taught us so much during the month of April 2020, a month that none of us will ever forget. They have shown us just how much can get done by seizing the momentum. They have kept information flowing, yet confidential; they kept staff safe, while introducing improvements.

Please continue to share your access and disclosure challenges and breakthroughs so we can continue to learn from one another.