Temporary Suspension of HIPAA Penalties to Track COVID-19 Victims

By Glenn Day

A case study by the U.S. Centers for Disease Control (CDC) traced how two family gatherings – a funeral and a birthday party – sparked a coronavirus “super-spreading event” in Chicago where 15 people were infected and three died.

It occurred before social distancing measures were put in place in Illinois and elsewhere in the U.S., and illustrated the stealthiness with which COVID-19 spreads. This and other cases have also been critical to our understanding of the virus’ behavior and why self-quarantines and social distancing slow its advance.

In normal times, providing the kind of personal health information that the case detailed (including symptoms and treatment) would have risked HIPAA Privacy Rule penalties. These aren’t normal times, however. In the interests of public health oversight activities during the COVID-19 crisis, health care providers and their business associates are being permitted by the Health and Human Services Office for Civil Rights (OCR) to share protected information with authorities without risking a penalty. (“Business associates” are entities that provide third-party services and activities for providers.)

This particular temporary suspension of HIPAA penalties is really directed toward hospital administrators rather than frontline care providers like doctors and nurses. It has been particularly important since the early stages of the COVID-19 outbreak to be able to track in what countries the cases were originating and now, as its spread gains momentum, who has been caught up in the domino effect of exposure.

The OCR explained in announcing the move that removing the threat of penalties in these instances improves cooperation and the effective exchange of information so that public health and oversight agencies can more rapidly flatten the curve of COVID-19’s spread – ideally saving more lives.

Meanwhile, healthcare workers like doctors and nurses are not exempted from HIPAA guidelines for protecting patient confidentiality or from penalties for violating them. Crisis conditions do not lessen the need to guard the 18 “personal identifiers” (names, social security and medical record numbers, for example) that may link a patient to the “Protected Health Information” or PHI.

Healthcare professionals are well-grounded in HIPAA safeguards and their responsibilities in protecting and explaining them to patients. When breaches from within the system do occur, they typically stem from inappropriate sharing of photos or private medical information about patients (who are often celebrities) on social media. However, the bigger risk remains hacking of PHI by cyber criminals – a healthcare record in the underground economy commands up to $50, versus payment cards, which can be priced upward of $5.40.

HUB International’s team of healthcare specialists is ready to help your organization assess and manage risks in today’s medical environment. Get the latest information, guidance and resources on Coronavirus (COVID-19) to help you protect what matters most on our Coronavirus Resource Center.