In February 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) published a bulletin clarifying how and when patient information may be HIPAA compliantly shared in the case of an outbreak of infectious disease or other emergencies.
Although the HIPAA Privacy Rules still protect patients’ PHI, it also ensures that necessary information is available to protect the nation’s public health as well as to treat the individual patient. Most of the information in the below bulletin is a reminder of HIPAA elements that always apply; however, the Coronavirus outbreak raises the level of importance and serves as a helpful reminder to staff.
February 2020 Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPAA Privacy and Novel Coronavirus
Treatment – As always, covered entities (CE’s) may disclose, without a patient’s authorization, protected health information (PHI) about the patient as necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of care by health care providers and others, consultation between providers, and the referral of patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.
Public Health Activities – The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to PHI that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:
To a public health authority, such as the CDC, state, or local health departments, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease. This would include the reporting of disease, vital events such as deaths, conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC PHI on an ongoing basis as needed or report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).
Disclosures to Prevent a Serious and Imminent Threat – Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j). Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. See 45 CFR 164.512(j).
To other persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the CE to notify such persons to prevent or control the spread of the disease, or to carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv).
The covered entity should ideally get and document verbal permission from individuals, or be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
A health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, doing so is in the best interests of the patient. *For example, a provider may determine that it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally could not share unrelated information about the patient’s medical history without permission.
To disaster relief organizations like the American Red Cross, are authorized to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification – If talking to the media, refer to the bulletin for more in-depth information. However, many organizations have policies, and usually assign one point person ensure proper messaging. Use caution.
Minimum Necessary – For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) A CD may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose. Internally, CE should continue to apply their role-based access policies to limit access to PHI only to workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).
Safeguarding Patient Information – In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.
We have provided a summary of the bulletin around the areas of concern that are most likely to impact our clients. For the complete bulletin and resource, see the link below.
Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPAA Privacy and Novel Coronavirus https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
For more information on the CDC Guidance of Coronavirus DIAGNOSIS CODING (Feb., 2020) https://www.cdc.gov/nchs/data/icd/ICD-10-CM-Official-Coding-Gudance-Interim-Advice-coronavirus-feb-20-2020.pdf
For more information on HIPAA and Emergency Preparedness, Planning, and Response, please visit: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency- preparedness/index.html
General information on understanding the HIPAA Privacy Rule may be found at: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html
For information regarding how Federal civil rights laws apply in an emergency, please visit: https://www.hhs.gov/civil-rights/for-individuals/special-topics/emergency- preparedness/index.html