Reminder: Coronavirus Emergency Does Not Trump HIPAA Privacy Rule
The government just sent a stern reminder to all employers, especially those involved in providing healthcare, that they must still comply with the protections contained in the HIPAA Privacy Rule during the Coronavirus outbreak. The Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) issued a reminder this month after the World Health Organization declared a global health emergency. In fact, the Rule includes provisions that are directly applicable to the current circumstances.
Privacy Rule Basics and Refresher
Grounded in the Health Insurance Portability and Accountability Act (HIPAA), the Privacy Rule establishes detailed requirements to ensure the continued confidentiality, integrity, and availability of protected health information (PHI). PHI encompasses individually identifiable health information.
HIPAA governs only covered entities (i.e., health plans, health care clearing houses, and health providers who conduct covered electronic transactions) and their Business Associates. Business Associates are those entities that handle PHI in order to perform certain functions on behalf of covered entities.
Covered entities and their business associates may use or disclose PHI without written authorization from the patient or his personal representative, except when doing so for designated purposes or pursuant to specific exceptions. At its core, the Rule permits covered entities to use and disclose PHI, without a patient’s authorization, as necessary for treatment, care coordination, consultation and referrals of patients for treatment.
Information Sharing in the Age of Coronavirus
When there is a legitimate need to share information with public health authorities and others responsible for ensuring public health and safety, covered entities may share PHI with them to enable them to carry out their public health responsibilities. This may arise with the current outbreak of Coronavirus, which was just recently coined COVID-19. The key, as always, is to limit disclosures to the minimum necessary to the purpose, strictly in accordance with these parameters.
For example, covered entities may share information as necessary with the Centers for Disease Control and Prevention (CDC), as well as health departments authorized by law to receive such information, to prevent or control disease or injury. You may even disclose PHI to foreign government agencies that are working with authorized public health authorities.
Also, you may disclose information to individuals you believe are at risk of contracting or spreading the disease, if authorized for such purposes under other law. Information may be shared with family and others involved in a patient’s care as necessary to identify and locate individuals responsible for the patient’s care, location, or condition.
Some Helpful Suggestions
In such cases, providers should obtain verbal permission from the patient if possible, or if not possible, permission can reasonably be inferred. Consistent with other applicable law, you may also disclose PHI as necessary to prevent or lessen a serious or imminent threat to a person or the public. It is important to remember, however, that in all cases, the minimum necessary standard is applicable to uses and disclosures of PHI, to authorized agencies or individuals.
Significantly, the Rule does not generally permit disclosure of PHI to the media or the public without the patient’s written authorization.
As both the financial and practical costs of HIPAA violations can be steep, it is more than worthwhile for covered entities and their business associates to take this reminder from HHS very seriously. Thus, it is important to ensure compliance with these use and disclosure particulars of the Privacy Rule, even under challenging circumstances.