This week in HIPAA news we are shining a light on two rules that display the spectrum of ‘bending’ from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The first, showing flexibility, announced that penalties with regard to HIPAA, as it pertains to the COVID-19 vaccination, will not be imposed when corresponding to online web-based scheduling applications. If used in good faith by covered health care providers and their business associates for the usage of appointment scheduling, this will be retroactive to the activity starting December 11, 2020.
The second bit of news is a display of how enforcement will be upheld if deadlines and rules are not adhered to. This one area that will not be offering leniency is the deadline to report small HIPAA breaches from 2020. Even if ONE person was affected, you must report this to the HHS using the designated portal for breach reporting. Covered entities are required to report any breach of protected health information (PHI) to this office by March 1, 2021. A small breach is one that affects fewer than 500 individuals and has to be reported within 60 days of year-end. While the portal permits a business associate to report its own breach on behalf of a covered entity, the responsibility does fall on the covered entity and this may mean that they would prefer to maintain and own that responsibility so that it is done in a timely fashion and done accurately. If a breach is not reported, or done after the deadline, it can lead to additional fines.
Both of these likely affect you in one way or another. While they show that the OCR has some flexibility in accommodating the unexpected and ensuring that healthcare providers can quickly and effectively provide care, it also is an example of how the patient and their privacy or security will always come first. They’ll bend to ensure that people can be treated quickly when needed, and remain rigid when it comes to ensuring that the healthcare industry does it in the safest way possible.