It is common for covered entities and business associates to train employees at hire and (at least) annually. What’s not as common is including other parties in the organization’s HIPAA training program. Contracted staff, temp/agency staff, volunteers, board members, and students can be considered part of an organization’s workforce – meaning, they need to be trained on HIPAA. And, during the pandemic, many providers have expanded the types of individuals that are part of their team.
In June 2020, The Society of Corporate Compliance and Ethics and the Health Care Compliance Association published survey results: Compliance and the COVID-19 Pandemic.
This survey of compliance professionals found:
"The COVID-19 pandemic has upended countless organizations and how people work... compliance programs have also felt the impact. Teams have had to adjust the way they work to ensure that regulatory mandates are still met - all while staying on top of the myriad regulation changes meant to address the pandemic."
I think we can all agree it has not been easy.
Here is what your healthcare professional peers say about COVID-19's effect on compliance:
During the pandemic, healthcare providers have seen countless headlines announcing both HIPAA guidance related to COVID-19, and HIPAA breaches. For example:
- Health care providers can contact former COVID-19 patients about blood and plasma donation opportunities
- Cyber-scams skyrocket during the pandemic
- Football player Ezekiel Elliott's COVID-19 test results leaked to the media
- OCR issues guidance on when healthcare providers can provide media access during COVID-19
- Nurse investigated for sharing video about fellow nurse who died of COVID-19
- Privacy issues with no-contact temperature taking
If your HIPAA training hasn't changed in response to this guidance and headlines, that could be a problem.
The pandemic has led covered entities and business associates to rethink training.
For starters, in-services are not always practical right now. With more remote employees, and concerns about trying to contain spread of the virus, in-person, classroom-style training is not working for everyone.
Plus, many providers are dealing with an evolving workforce: more agency/temp staff, more healthcare professionals newly hired due to loosened education or certification requirements during COVID-19. All of these people need training - and providers have less time to train.
Compliance and HIPAA training does not have to be in the form of a live in-service to be effective.
MPA's Compliance and HIPAA Training Handbooks can help.
The rise of social media has revolutionized the way people connect. In the health care workplace, social media also brings countless opportunities for employees to violate HIPAA. Balancing this new landscape of increased sharing through technology and unchanged patient privacy rights is a minefield for healthcare providers.
Without education and policies from their employers, health care employees can easily get into trouble, quickly putting their employers at risk for HIPAA penalties, lawsuits, and devastating PR consequences. The pandemic has only exacerbated the privacy challenges associated with social media. MPA’s HIPAA, Social Media & COVID-19 Roadmap tells you what you need to know about this challenge, and what you can do about it.
Taking on the unstoppable world of social media might seem impossible. But it's better to help employees use it properly--and know when they aren't - than to do nothing and wait to hear it from the patients (or the media).
It’s not often that I cite a Sports Illustrated article in a HIPAA blog – but last week, the compliance and sports worlds collided when Dallas Cowboys Running Back Ezekiel Elliott’s COVID-19 results went viral.
Elliot issued his official, one-word response to the news on twitter: “HIPAA ??” Elliot went on to deny reports that his own agent leaked the news about his COVID-19 status, tweeting that his agent confirmed the information AFTER it was leaked to the media.
We do not know how this happened, but healthcare providers should think through the possibilities and look inward.
- Did an employee of a healthcare provider treating (or testing) Elliott leak the information? Could this happen within your organization?
- Are your employees trained about the consequences of breaching patient information in this way? What would your employees find more compelling – your HIPAA policies, or a bribe from a reporter? (To be clear, we have no knowledge that this is what happened here – but it is a possibility).
- Are your employees trained to understand that COVID-19 status is sensitive PHI – with higher stakes for the patient?
- Does your organization segregate patient records access to minimize the likelihood of a breach?
- When your organization treats high-profile patients, are extra precautions taken to protect their PHI (for example, admitting/treating them under an alias)?
- Do you conduct regular information system activity review audits, to both prevent and detect unauthorized records access?
We don’t know how Zeke Elliott’s records were leaked – but we know it’s wrong, and healthcare providers should take all steps to avoid a similar problem. Keep in mind that breaches of high-profile individuals will continue to be a challenge after COVID-19. As the 4th of July approaches, you might remember Jason Pierre-Paul, the NY Giants player who sued ESPN after a reporter tweeted a picture of his medical record when he was treated for a fireworks injury to his hand.
MPA can help with HIPAA training. We offer interactive, customized Zoom training sessions with current real-world examples and pre- and post-testing.
Here in Missouri, much of the state reopened on June 15: pools, restaurants, and gyms included. But life looks a lot different. Visitors are still restricted at nursing homes, people are wearing masks, hand sanitizer lurks around every corner, and many people are still choosing to stay home and use curbside services. It’s a different world.
Throughout the pandemic, I have asked healthcare providers: How has COVID-19 affected your compliance and HIPAA programs?
- Some people say: “It’s business as usual.”
- Others say: “I’m still working on compliance but at a much slower pace.” This is understandable, given the number of COVID-related tasks and guidance added to compliance officers’ plates.
- A few people have told me they actually have MORE time to work on compliance now, because other projects have been put on hold.
- And a handful have told me that compliance has been put on hold completely during the pandemic. I understand why this happens and I empathize with it. These are unprecedented times and healthcare providers are in the middle of a centennial challenge.
If you have had to curtail or limit your compliance efforts due to COVID-19: Document your decisions. Document what activities have been delayed, and why (e.g., resources were redirected to infection control).
As we enter month four of the national public health emergency, my hope for compliance officers who have slowed (or stopped) compliance efforts that they find a way to keep their compliance programs going and, to the extent possible, get back to business as usual.
Where should we start?
How you resume compliance will depend on your risks and resources. Here are some ideas to consider:
- Schedule a quarterly compliance committee meeting (especially if you are overdue). Use this time to recap your organization’s risks – COVID and non-COVID – and prioritize.
- Create an action plan to address these risks in order of priority. Decide how you will tackle each risk. Map out your plan over 12 months – and follow up monthly or quarterly to check on progress.
- Update your board. It’s possible that board meetings have been filled with urgent COVID-19 issues. If compliance has been bumped from the agenda, it’s time to get back on. Compliance, after all, has a key role in addressing and mitigating COVID-19 risks, like HIPAA, infection control, and EMTALA.
- Find out how you can support your staff. Healthcare employees are likely exhausted, overwhelmed, and stressed out. Compliance can help. An unprecedented amount of guidance has been published since February. What information could your employees be struggling with? Do they need help understanding new HIPAA guidance during the pandemic? When is the last time your employees were reminded of how to report compliance issues? When is the last time the Compliance Officer walked the floors to talk with staff, encouraging them to raise questions?
- Nursing homes should work on Phase 3 Compliance and Ethics programs. This means making sure updated policies are in place, policies are disseminated, and an annual review is conducted. It can take several months to conduct an annual review – start now and move the process forward. When surveys resume, you will be better off if you aren’t scrambling to implement compliance.
Yes, the pandemic continues. But compliance should also continue. When COVID-19 passes, or at least subsides to a better “new normal,” your organization will need compliance. Compliance provides education that helps people do their jobs; risk management and strategy to make your organization better; and process improvement to provide the best care possible. By taking little steps now to keep compliance going, you can avoid starting over after the pandemic.
On June 12, the OCR published the following guidance: OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities.
- Covered entities (or their business associates) CAN, under HIPAA, use PHI to identify and contact patients who have recovered from COVID-19 to provide information about donating blood and plasma that could help other COVID-19 patients. The COVID-19 antibodies found in blood and plasma of recovered patients could help treat other COVID-19 patients.
- This use of PHI is considered health care operations, because it involves “population-based activities related to improving health, and case management and care coordination activities that do not meet the definition of treatment….”
- Covered entities should limit the use or disclosure of PHI to the minimum necessary.
- Providers must be careful here – the way they reach out to patients must not constitute marketing. (With some exceptions, uses or disclosures of PHI for marketing require a signed HIPAA authorization).
- Covered entities should NOT receive any direct or indirect payment from or on behalf of a blood and plasma donation center.
- Covered entities should refrain from encouraging patients to use a particular blood and plasma center.
- Covered entities cannot disclose PHI about recovered COVID-19 patients to a blood and plasma donation center for the purpose of soliciting blood and plasma donations – without a signed patient authorization.
MPA has updated its HIPAA & COVID-19 Tool Kit to address this guidance. The following documents have been updated:
- HIPAA & COVID-19 Update
- Permitted Uses and Disclosures Policy
Many providers are seeing changes to their workforce during the pandemic. Hospitals are recruiting additional healthcare professionals; nursing homes are relying more heavily on agency staff as employees become ill or do not show up for work. CMS has changed rules, allowing expanded types of providers to order tests and perform other tasks. An increased number of students or volunteers are also being used.
With these workforce changes, HIPAA training must continue. The HIPAA privacy and security rule remain in place during the pandemic. OCR enforcement remains active. HIPAA requires providers to train their workforce on HIPAA requirements. Workforce means “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.” 45 CFR 160.103
HIPAA training reminders:
- Covered entities should routinely evaluate who is working on their behalf and determine who is included in their workforce (and needs training).
- The Privacy Rule requires covered entities to train all workforce members on policies and procedures related to PHI, as necessary and appropriate for the workforce members to carry out their functions. 45 CFR 164.530(b)
- The Security Rule requires covered entities to: “implement a security awareness and training program for all members of its workforce (including management)” 45 CFR 164.308(a)(5)
- Workforce members should also be trained to recognize breaches, how to report them internally, and who to report them to.
- All workforce member should be trained on appropriate social media use (this is especially important during a national emergency).