HIPAA and COVID-19 Exposure
A Critical Read!
by Sean Weiss, Partner & VP of Compliance
I have just been notified by one of my clients and I am furious! A patient who was thoroughly screened on the phone and by essential staff prior to their face-to-face with the physician and answered “No” to all of the questions but during the visit slipped up during a casual conversation and told the provider they were on day-2 of a mandatory quarantine due to working in a nursing home and being exposed to patients confirmed with COVID-19.
This selfish person placed healthcare workers and staff at significant risk needlessly! I am going to type in CAPS now:
IF YOU ARE SICK OR HAVE BEEN EXPOSED OR POTENTIALLY EXPOSED KEEP YOUR BUTT IN THE HOUSE ONCE YOU HAVE SOUGHT MEDICAL CARE AT A HOSPITAL OR DEPARTMENT OF HEALTH! TELL YOUR CLIENTS TO INFORM PATIENTS BEFORE THEY ANSWER THAT PROVIDING FALSE INFORMATION COULD BE CONSIDERED A CRIME AND MUST BE REPORTED TO LAW ENFORCEMENT AND GOVERNMENTAL AGENCIES HANDLING THE PANDEMIC!
For those who are going to respond to this post and say you cannot do anything about it read the following before you do as under the Limited Waiver During Emergencies: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf HIPAA in multiple respects is out the window to ensure protections of the community at large vs. the rights of the individual.
Public Health Activities: The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:
· To a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).
· At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR 164.512(b)(1)(i).
· To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv).
Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification: A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b).
· The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
· For patients who are unconscious or incapacitated: A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. For example, a provider may determine that it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally could not share unrelated information about the patient’s medical history without permission.
· In addition, a covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.
Disclosures to Prevent a Serious and Imminent Threat: Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j). Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. See 45 CFR 164.512(j).
Sean M. Weiss is a Partner and serves as VP/Chief Compliance Officer for DoctorsManagement, LLC based in Knoxville, TN. DoctorsManagement, LLC services more than 20,000 clients nation-wide and has been in existence since 1956. Weiss serves as an Investigator and expert witness in Federal and State cases as well as an expert or lead in Administrative Law Judge Hearings. During his 25-year career, Weiss has engaged in more than 200 cases working with law firms and health systems across the country. Weiss serves as a third-party compliance and regulatory officer for more than a dozen health care organizations across the country of varying sizes. For more information on Sean M. Weiss or DoctorsManagement, LLC visit us online at www.doctors-management.com or contact us directly at 800.635.4040. You can also follow Sean on his biweekly Blog on LinkedIn (Sean M. Weiss “The Compliance Guy”) or at www.thecomplianceguyblog.com
What to do next…
- If you need help with an audit appeal or regulatory compliance concern, contact us at (800) 635-4040 or via email at firstname.lastname@example.org.
- Read more about our: Total Compliance Solution
Why do thousands of providers trust DoctorsManagement to help improve their compliance programs and the health of their business?
Experienced compliance professionals. Our compliance services are structured by a chief compliance officer and supported by a team that includes physicians, attorneys and a team of experienced auditors. The team has many decades of combined experience helping protect the interests of physicians and the organizations they serve.
Quality of coders and auditors. Our US-based auditors receive ongoing training and support from our education division, NAMAS (National Alliance of Medical Auditing Specialists). All team members possess over 15 years of experience and hold both the Certified Professional Coder (CPC®) as well as the Certified Professional Medical Auditor (CPMA®) credentials.
Proprietary risk-assessment technology – our auditing team uses ComplianceRiskAnalyzer(CRA)®, a sophisticated analytics solution that assesses critical risk areas. It enables our auditors to precisely select encounters that pose the greatest risk of triggering an audit so that they can be reviewed and the risk can be mitigated.
Synergy – DoctorsManagement is a full-service healthcare consultancy firm. The many departments within our firm work together to help clients rise above the complexities faced by today’s healthcare professionals. As a result, you receive quality solutions from a team of individuals who are current on every aspect of the business of medicine.