Send us your patient data – or else


HIPAA patient dataHow many of you have been tested for COVID 19, even though you may not have had any symptoms? According to federal statistics, that answer is millions of us. Of course, right? We want to know if we’ve potentially been exposed so we can avoid exposing others. What if all of us who got tested, and tested negatively, still had all of our health information demanded to be handed over to your state? Well, it’s happening in at least one state.

On September 9, Governor Andrew Cuomo sent a letter to all healthcare providers, laboratories, and hospitals in the state of New York ordering all providers who administer COVID 19 tests to hand over ALL of their test results. On September 21, he issued a second letter adding data elements to the request. Specifically, he is requesting the following patient details: Patient name, full residential address and phone number, occupation, employer name, full work address, employer phone number, patient race, and ethnicity, whether the patient attends or works in a school, and if so, the name and location of the school and type of school. They must also provide details on any additional addresses associated with the patient. Oh, and if you’re also testing for the flu, you have to include that information too – and you have to report said results within 3 hours of receiving them. FAILURE TO COMPLY WILL SUBJECT ALL PROVIDERS TO FINES UP TO $2,000 PER DAY. It’s not posted on any media, we were sent a copy of the letter by a client – here it is for your verification.

We consider this a gross overreach by Governor Cuomo and a violation of patients’ HIPAA rights. The argument may be nuanced for some, but here’s the delineation – we acknowledge that under a state of emergency and where public health is concerned, HIPAA allows for disclosure of select patient information. We further accept that governments have a legitimate argument to obtain patients’ data who’ve tested positive for COVID 19. But requesting such information for patients who have tested negative is unnecessary, inappropriate, and potentially a violation of their privacy rights under HIPAA. Add to that the request for influenza data, and you now have an unprecedented attack on patient privacy rights for New York residents and anyone else who’s been tested in the state.

Our entire mission with our industry-leading HIPAA compliance program is to protect patient data. It’s our “why”. That doesn’t just include protecting our clients from breaches and HIPAA violations, it also includes ensuring no one collects your patient’s information that doesn’t have rights to it. We stand opposed to the State of New York’s actions here and we hope the residents and healthcare providers within the state rebel against this Executive Order and seek a reasonable compromise – like the release of positively tested patients only.

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.