Is COVID-19 Unraveling HIPAA?

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

Let’s Recap
The Health Insurance Portability & Accountability Act (HIPAA) was created in 1996 to protect patients and their privacy, and if you are in healthcare, you already know this and are familiar with what it means. With a goal to ensure that people could maintain health insurance between jobs, thus the “Portability” part of the name; along with a second, and critical goal, to address the “Accountability” of insurance to protect the confidentiality part of patient information and data. This meant mandating standards of privacy for electrotonic protected health information (PHI) and data that was uniform when transmitted during the course of care. This all meant that health plans could not deny eligibility based on health status; medical conditions, mental illness, genetic information, disability, and other evidence of insurability.

While it is obvious now that this law was necessary, let’s dig deeper into why this was so important. For example, if you were suffering from a mental disorder, you might avoid seeking treatment because it becomes “part of your record” and something that your future employer might see as a risk factor in hiring you. You may (and very likely) avoid treatment, not wanting to take that chance. With HIPAA, you could seek the proper treatment and keep it between you and your doctor.

Did COVID-19 Undo HIPAA?
With the onset of COVID-19, the Office for Civil Rights (OCR) had to relax these laws as we’ve discussed previously, but there seems to be one question that remains unclear, and that is: How much PHI should be shared?

The National Law Review recently discussed this question in greater detail, going over the cases that set precedent to other situations that were relevant. They used an example of the difference in New Jersey and California to show how different states were revealing the identifiable information publicly regarding COVID patients. New Jersey’s Health Commissioner created a narrative around the state’s first patient that gave out so much detail, it included hobbies, place of employment, marriage status, and even his other health diagnoses. On the opposite side of the nation in California, minute details of a person are not being released. This decision was based on the discrimination that could follow should a group be identified as testing positive. For example, some of the first cases were from ethnic individuals who had recently traveled to China, and identifying them as such could have provided an unjustified reason to create bias or prejudice. Does HIPAA protect the privacy of the person or the place?

So how much information is actually necessary to share and to whom is it okay to share with? This is going to have to be more clearly outlined and defined, otherwise, as you can see, the spectrum is too broad to say that there is even some resemblance to the HIPAA that was in place pre-COVID.

As we progress through this pandemic and find the best way through it, we keep at the forefront of all decision making, what is the best way to protect the majority.

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE