HIPAA and COVID-19: Privacy Protections Still Control in Case of Pandemic
As noted in our recent alert listed below, the HIPAA Privacy Rule is not suspended during a public health or other emergency. However, the Secretary of Health & Human Services may waive certain portions of the Privacy Rule during an emergency. Effective as of March 15, 2020 (and retroactive to March 1, 2020), HHS Secretary Alex Azar issued a limited waiver of HIPAA sanctions and penalties. Even with this limited waiver in place, HHS continues to stress the importance of appropriately sharing healthcare information and maintaining healthcare privacy protections during the COVID-19 pandemic situation.
Under the waiver, a covered hospital will not be penalized for failure to comply with the following Privacy Rule requirements:
- The requirement to obtain a patient’s agreement, when possible, to speak with family members or friends involved in the patient’s care;
- The requirement to honor a request to opt out of inclusion in the hospital’s patient directory;
- The requirement to provide a copy of the hospital’s notice of privacy practices;
- The requirement to abide by a patient’s right to request privacy restrictions; or
- The requirement to abide by a patient’s right to request confidential communications.
This limited waiver only applies to hospitals: (1) in the United States, as the emergency area identified in the Secretary’s declaration; (2) that have instituted disaster protocols; and (3) only for the 72-hour period after the hospital implemented its disaster protocol. In other words, the waiver protects hospitals from penalties in the short window of time when inadvertent disclosures could occur following implementation of disaster protocols. Once the hospital has operated under its disaster protocols for 72 hours, HHS presumes that compliance with the HIPAA Privacy Rule can be reinstituted and maintained.
HIPAA and its Privacy and Security Rules only apply to covered entities and business associates. Persons or organizations that are not covered entities or business associates may be subject to other data privacy requirements. When dealing with healthcare information, it is important for all persons or organizations to understand their obligations under applicable law.
The full language of the Secretary’s waiver, including this HIPAA component, may be found at: https://www.phe.gov/emergency/news/healthactions/section1135/Pages/covid19-13March20.aspx.
The HHS bulletin discussing the waiver (which includes guidance about how to use or share healthcare information as well as resources regarding COVID-19) may be found at: https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.
The Novel Coronavirus (2019-nCoV; COVID-19) continues to spread, and news changes moment by moment on its impact to our social ecosystems. This is especially the case for the healthcare industry, which is facing mounting pressures involving the ability to offer testing, to ensure appropriate access to healthcare facilities, and to provide adequate space and equipment for treatment. As healthcare providers and their vendors address these concerns, they must also continue to protect patient information, which could include information about the disease and those who have it.
HIPAA covered entities and business associates must share information to ensure adequate treatment and related activities, but they can only do so within the requirements of the HIPAA Privacy and Security Rules and any applicable state laws (that provide greater protections than HIPAA). The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently issued guidance to remind covered entities and business associates that HIPAA protections under the Privacy Rule remain in place, even during an outbreak of infectious disease or other emergency situations. This guidance may be found at: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.
There are a number of ways in which covered entities and business associates may share protected health information (PHI) and still comply with the Privacy Rule (see 45 CFR § 164.500 et seq.):
- Treatment—It is critical that our healthcare systems have information for treatment purposes. The Privacy Rule allows the use and disclosure of PHI, without patient authorization, as needed to treat the patient or to treat a different patient. Treatment includes coordination of healthcare and related services as well as consultation among providers or patient referrals for treatment.
- Public Health Activities—Public health authorities have legitimate needs to access PHI needed to carry out their public health missions. Accordingly, the Privacy Rule allows covered entities and business associates to use and disclose PHI without individual authorization: (a) when providing PHI to a public health authority, such as the Centers for Disease Control and Prevention (CDC) or state or local health department to prevent or control disease, injury, or disability; (b) at the direction of a public health authority, when providing PHI to a foreign government agency acting in concert with the health authority; or (c) when providing PHI to persons at risk of contracting or spreading the disease.
- Individuals Involved in Patient’s Care—Covered entities and business associates may share PHI with a patient’s family members, relatives, friends, or others identified by the patient as being involved in the patient’s care. This includes sharing of PHI to identify, locate, or notify family members or others. When possible, the covered entity or business associate should get verbal permission from individuals or be able to reasonably infer that the patient does not object to the sharing of information. If a patient is unconscious or incapacitated, a healthcare provider may share relevant information if the provider feels doing so is in the best interest of the patient. However, such sharing of information should be limited to what is needed for the provider to make adequate decisions for the patient.
- Serious and Imminent Threats—Healthcare providers may share PHI as needed to prevent or minimize a serious or imminent threat to the health and safety of a person or the public. This should be done consistent with other applicable law as well as the provider’s standards of ethical conduct.
In general, covered entities and business associates cannot share specific information or results with the media or public about a patient without the patient’s authorization. However, a provider may collect information about a patient to include in a patient directory, which may be publicly available, so long as the patient has not objected to or restricted the release of her PHI. This can include the patient’s name, room location, and general terms about the patient’s condition. It cannot include specific medical information about the patient.
Even if a covered entity or business associate is able to share PHI in one or more of these situations, it must make reasonable efforts to limit the information used or disclosed to the minimum necessary information needed to accomplish the purpose of the use or disclosure. And the provider or organization must continue to implement reasonable safeguards to prevent intentional or unintentional uses and disclosures of PHI that are not permitted under the Privacy Rule. This includes continued compliance with the administrative, physical, and technical safeguards under the Security Rule.
HIPAA only applies to covered entities and business associates. Persons or organizations who do not qualify for that status may not be subject to HIPAA restrictions, but may remain subject to other state or federal privacy rules or prohibitions. When dealing with healthcare information, all persons or organizations should ensure that they are aware of their obligations under applicable law.
All persons and organizations should also remain informed about the latest news and activities involving COVID-19, which may be found at: https://www.cdc.gov/coronavirus/2019-ncov/about/index.html.