OHIMA Blog: OHIMA’s Privacy and Security Snapshot

The Privacy and Security Snapshot is a new publication by OHIMA that will be published quarterly throughout 2021-2022. The goal is to keep OHIMA members informed of current events in the privacy and security arena.

Do you have suggestions on topics to include in the snapshot? Or are you a privacy/security guru who would be interested in contributing? Email ohima@ohima.org to get in contact.

To Ask or Not to Ask: That Is The Question

HIPAA and Disclosure of COVID-19 Vaccination Status

Laurie Rinehart-Thompson, JD, RHIA, CHP, FAHIMA

OHIMA Project Leader, Privacy and Security

The right to refrain from disclosing one’s own vaccination status has taken center stage as one of many politically charged topics related to COVID-19. Driven by social media, we have been supplied with faulty declarations that it is a HIPAA violation for anyone – including employers and businesses -- to ask individuals about their COVID-19 vaccination status. On September 30, the Office for Civil Rights, which enforces HIPAA, issued guidance titled HIPAA, COVID-19 Vaccination, and the Workplace¹to address misinformation and confusion around this topic.

During the past 18 years HIPAA has often been improperly invoked, at times wielded to avoid sharing information and other times used because individuals have not taken the first step required in a HIPAA analysis: determining whether it even applies. Although HIPAA applicability is second nature to those who are familiar with it, many believe the law is much broader than it actually is. Case in point: A friend of mine, who owns a human resources company, asked if one of her clients -- an archaeology research company -- violated HIPAA when it shared medical information about one employee with another employee for health and safety reasons. I explained that HIPAA would not apply to an archaeology research company (while cautioning that relevant employment laws must be reviewed) but, instead, it applies to HIPAA covered entities and business associates (while describing what those are), including their workforces. Her surprised reply was, “I don’t think a lot of people realize that!” Later, I attended a law enforcement conference where the speaker terrorized police officers in the audience by warning that they could go to prison for capturing patient information on their body cameras whenever they entered an emergency room. Indeed, misconceptions about HIPAA’s applicability abound.

HIPAA also cannot apply unless there is PHI, or protected health information, which is individually identifiable; relates to a person’s past, present or future physical or mental health condition, provision of care, or payment for provision of care; and is in the possession of or transmitted by a covered entity or business associate, including their workforces. Thus self-disclosure about one’s own vaccination status cannot be a HIPAA violation because it is not PHI, and individuals are free to share this information – or not – although they may be compelled to depending on a business’ vaccination requirements.

HIPAA does not apply to requests for PHI, regulating instead PHI uses and disclosures. So even covered entities and business associates may ask for the vaccination status of employees, visitors and patients alike without committing a HIPAA violation – although they might expect a hostile response or refusal to share this information. There may be other relevant laws that prohibit questions about vaccination status, and these must be considered. Covered entities and business associates may only disclose PHI relating to one’s COVD-19 vaccination status with patient authorization or if a HIPAA authorization exception applies.

HIPAA does not apply to personnel records, including those held by covered entities and business associates in their capacity as employers. Employee vaccination (or vaccine exemption) records do not benefit from HIPAA protection; however, other laws protect this information. Vaccination records of an organization’s patients are protected by HIPAA. Because HIPAA focuses on information protection, it does not prohibit covered entities or business associates from mandating employee COVID-19 vaccinations or mask wearing.

The Ohio General Assembly has produced a flurry of bills promoting vaccine freedom, with some providing a ban on numerous entities from asking a person’s vaccination status. On November 18, one bill took a step forward as the Ohio House of Representatives passed House Bill 218, which weakens vaccine requirements but does not address sharing of information about vaccination status. It would need to pass in the Senate and be signed by Governor DeWine, so its future is in question. However, this bill reminds us that other laws (both federal and state) may be introduced and passed that do apply to the sharing of vaccination information, even when HIPAA does not apply. Too, the U.S. Equal Employment Opportunity Commission has issued guidance about COVID-19 and employment-related laws, providing useful information where HIPAA does not apply but other laws may.²

__________________________________

1HIPAA, COVID-19 Vaccination, and the Workplace. Available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-covid-19-vaccination-workplace/index.html
2What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws. Available at https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws

The Ransom Disclosure Act

Kathryn Croswell MBA, RHIA, CHC, CCS-P
OHIMA Project Leader, Privacy and Security

Ransomware attacks are a type of malware that threatens to publish a victim’s personal data or block access to a system or data unless a ransom is paid. Ransomware attacks continue to increase in frequency and effect all types of industries. Hospitals and medical centers have been hit especially hard during the COVID-19 Public Health Emergency due to increased vulnerabilities from remote work and the use of telemedicine.

Currently, ransomware victims are not required to report attacks to the government. Some believe this lack of information, or data, is a barrier to the government properly investigating cyber criminals. In an effort to rectify the lack of data necessary to perform proper investigations on cybercrime, Senator Elizabeth Warren introduced the bill titled Ransom Disclosure Act (Act)[1] on October 5, 2021 to the House and Senate. The Act would require certain victims of cybercrime to report attacks within 48 hours to the Department of Homeland Security (DHS) after the date of payment. The Act would require victims who receive federal funds to disclose payments, which would presumably impact hospitals or medical centers that receive Medicare or Medicaid funds.

It is uncertain whether this bill will be passed and what impact it will have on decreasing cybercrime. Until then, organizations will need to continue to stay one step ahead of attackers, which is an expensive but necessary tool for healthcare organizations to protect and treat patients.

[1] https://www.warren.senate.gov/imo/media/doc/Ransom%20Disclosure%20Act%20One%20Pager.pdf