The Privacy and Security Snapshot is a new publication by OHIMA that will be published quarterly throughout 2021-2022. The goal is to keep OHIMA members informed of current events in the privacy and security arena.
Do you have suggestions on topics to include in the snapshot? Or are you a privacy/security guru who would be interested in contributing? Email email@example.com to get in contact.
To Ask or Not to Ask: That Is The Question
HIPAA and Disclosure of COVID-19 Vaccination Status
Laurie Rinehart-Thompson, JD, RHIA, CHP, FAHIMA
OHIMA Project Leader, Privacy and Security
The right to refrain from disclosing one’s own vaccination status has taken center stage as one of many politically charged topics related to COVID-19. Driven by social media, we have been supplied with faulty declarations that it is a HIPAA violation for anyone – including employers and businesses -- to ask individuals about their COVID-19 vaccination status. On September 30, the Office for Civil Rights, which enforces HIPAA, issued guidance titled HIPAA, COVID-19 Vaccination, and the Workplace1 to address misinformation and confusion around this topic.
During the past 18 years HIPAA has often been improperly invoked, at times wielded to avoid sharing information and other times used because individuals have not taken the first step required in a HIPAA analysis: determining whether it even applies. Although HIPAA applicability is second nature to those who are familiar with it, many believe the law is much broader than it actually is. Case in point: A friend of mine, who owns a human resources company, asked if one of her clients -- an archaeology research company -- violated HIPAA when it shared medical information about one employee with another employee for health and safety reasons. I explained that HIPAA would not apply to an archaeology research company (while cautioning that relevant employment laws must be reviewed) but, instead, it applies to HIPAA covered entities and business associates (while describing what those are), including their workforces. Her surprised reply was, “I don’t think a lot of people realize that!” Later, I attended a law enforcement conference where the speaker terrorized police officers in the audience by warning that they could go to prison for capturing patient information on their body cameras whenever they entered an emergency room. Indeed, misconceptions about HIPAA’s applicability abound.
HIPAA also cannot apply unless there is PHI, or protected health information, which is individually identifiable; relates to a person’s past, present or future physical or mental health condition, provision of care, or payment for provision of care; and is in the possession of or transmitted by a covered entity or business associate, including their workforces. Thus self-disclosure about one’s own vaccination status cannot be a HIPAA violation because it is not PHI, and individuals are free to share this information – or not – although they may be compelled to depending on a business’ vaccination requirements.
HIPAA does not apply to requests for PHI, regulating instead PHI uses and disclosures. So even covered entities and business associates may ask for the vaccination status of employees, visitors and patients alike without committing a HIPAA violation – although they might expect a hostile response or refusal to share this information. There may be other relevant laws that prohibit questions about vaccination status, and these must be considered. Covered entities and business associates may only disclose PHI relating to one’s COVD-19 vaccination status with patient authorization or if a HIPAA authorization exception applies.
HIPAA does not apply to personnel records, including those held by covered entities and business associates in their capacity as employers. Employee vaccination (or vaccine exemption) records do not benefit from HIPAA protection; however, other laws protect this information. Vaccination records of an organization’s patients are protected by HIPAA. Because HIPAA focuses on information protection, it does not prohibit covered entities or business associates from mandating employee COVID-19 vaccinations or mask wearing.
1HIPAA, COVID-19 Vaccination, and the Workplace. Available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html
2What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws. Available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws
The Ransom Disclosure Act
Croswell MBA, RHIA, CHC, CCS-P
OHIMA Project Leader, Privacy and Security
Ransomware attacks are a type of malware that threatens to publish a victim’s personal data or block access to a system or data unless a ransom is paid. Ransomware attacks continue to increase in frequency and effect all types of industries. Hospitals and medical centers have been hit especially hard during the COVID-19 Public Health Emergency due to increased vulnerabilities from remote work and the use of telemedicine.
Currently, ransomware victims are not required to report attacks to the government. Some believe this lack of information, or data, is a barrier to the government properly investigating cyber criminals. In an effort to rectify the lack of data necessary to perform proper investigations on cybercrime, Senator Elizabeth Warren introduced the bill titled Ransom Disclosure Act (Act) on October 5, 2021 to the House and Senate. The Act would require certain victims of cybercrime to report attacks within 48 hours to the Department of Homeland Security (DHS) after the date of payment. The Act would require victims who receive federal funds to disclose payments, which would presumably impact hospitals or medical centers that receive Medicare or Medicaid funds.
It is uncertain whether this bill will be passed and what impact it will have on decreasing cybercrime. Until then, organizations will need to continue to stay one step ahead of attackers, which is an expensive but necessary tool for healthcare organizations to protect and treat patients.