Submit to Digest

In Wake of Coronavirus, HHS Waives Penalties for Potential HIPAA Violations

Reports Privacy

In response to the nationwide emergency concerning COVID-19, the U.S. Department of Health and Human Services (HHS) issued a COVID-19 & HIPAA Bulletin waiving certain sanctions and penalties for healthcare providers, effective March 15, 2020. These sanctions are covered by the HIPAA Privacy Rule. To give patients more control over their health information, the Privacy Rule establishes national standards for using and releasing individually identifiable health information by covered entities, such as hospitals and health plans, and their business associates.

Though the Privacy Rule is not suspended during a public health emergency or pandemic, the Secretary of Health and Human Services may waive certain provisions under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. Secretary Alex M. Azar has done so following his earlier declaration of a public health emergency on January 31, 2020.

The waiver from penalties protects HIPAA-covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b));
  • The requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a));
  • The requirement to distribute a notice of privacy practices (45 CFR 164.5200;
  • The patient's right to request privacy restrictions (45 CFR 164.522(a));
  • The patient's right to request confidential communications (45 CFR 164.522(b)).

Covered entities must still implement reasonable safeguards to protect personal health information (PHI) against any “intentional or unintentional uses and disclosures” in violation of HIPAA.

The coronavirus pandemic has seen many healthcare providers shift to telemedicine, providing healthcare to patients online. Today, nearly 80 percent of hospitals in the U.S. have some sort of telehealth service. HHS’s waiver of certain HIPAA provisions is intended to facilitate the provision of telemedicine, and it is not limited to diagnoses related to coronavirus. However, the move raises concerns over the protection of patients' privacy.

In ordinary times, HIPAA protects patients from having their medical data used for marketing purposes, for example, by limiting the types of technologies that healthcare providers can use in telemedicine. Certain technologies, such as Updox and Zoom for Business, appear to have passed muster. Under the new guidelines, however, HHS will not impose penalties on healthcare providers using noncompliant apps such as FaceTime, Facebook Messenger, Google Hangouts, and Skype. The coronavirus pandemic may test the limits of patient privacy protection.

Experts warn that the risks to patient data run high. For example, the widespread adoption of Zoom’s free videoconferencing service (as opposed to its Zoom for Business subscription service) in the time of pandemic has exposed the tool’s major privacy risks. Privacy advocates have questioned the ability of tech giants to protect sensitive health information. Some tech companies provide HIPAA-compliant versions of their platforms, but many healthcare providers may be using other versions or individual enterprise licenses that do not take particular privacy needs into consideration.

The New York Times editorial board stresses that Americans should not have to compromise their privacy to benefit from technological tools, even in times of crisis. Private companies see this pandemic as a win for their data-amassing business models. “They understand that we as consumers are lazy,” says Alastair Mactaggart, who leads the board of Californians for Consumer Privacy. “We don’t take the precautions we should, and these companies are able to capitalize on it. So this could be a boon for them.”

The threats to privacy can fall outside the scope of typical ideas about data disclosure. Zeynep Tufekci, an associate professor at the School of Information and Library Science at the University of North Carolina and an expert on emerging technologies and privacy, explains that computational inference presents unprecedented privacy concerns. A looming question is how, when, and by whom personal health data could be fed into machine-learning systems that “predict” health outcomes without infringing on social and economic freedoms that could threaten access to services such as health and life insurance.

A major concern among experts and privacy advocates is that coronavirus patients could face discrimination, isolation, or even retribution if their identities were revealed. HHS requires “appropriate de-identification” of personally identifiable health information to protect the privacy of individual patients. However, once de-identified, personal patient information no longer falls under the HIPAA protection, and there is no regulation to keep big tech companies from triangulating de-identified data with existing user information. On the current outbreak, Michelle Mello, a health law professor at Stanford University, notes, “We kind of blew it on surveillance, it’s pretty late in the game to be getting into that now . . . You really can’t stand these things up in the middle of a pandemic.”

In addition, cyberattackers are exploiting the current pandemic by releasing coronavirus-related scams and phishing attacks, according to a joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and UK National Cyber Security Centre (NCSC). The attackers are exploiting platform vulnerabilities and the expanding network of patient data. The FBI has warned of an expected increase in attempted targeted hijackings of Zoom and other videoconferencing platforms, and Interpol and Microsoft have warned that cyberattackers are targeting the healthcare sector with ransomware.

Exacerbating concern are healthcare providers, who routinely underestimate privacy vulnerabilities. The majority of healthcare providers, surveyed before the COVID-19 pandemic, were overconfident in their ability to control data sharing and the security of their data storage, according to a new global report from Netwrix.

In response to HHS’s annoucnement, the Electronic Frontier Foundation (EFF), a nonprofit defending civil liberties in the digital world, encouraged patients to ask healthcare providers for information about the safeguards they have in place and what their plans and timelines are for moving to platforms that fall under HIPAA compliance. EFF also suggests that measures “justified during a crisis should not become permanent fixtures of society” and people “must have the opportunity to…challenge” big data conclusions.

Privacy concerns continue to grow. As healthcare providers and patients are increasingly connecting online, in part a product of relaxed HIPAA standards, a sudden surge of sensitive patient data is making its way across videoconferencing platforms. The tension between making healthcare delivery more accessible and safeguarding patient privacy will not be resolved in the midst of crisis. The question remains: will the COVID-19 pandemic solidify norms abridging patient privacy?