The Novel Coronavirus is spreading so rapidly that it will most likely become a pandemic. The World Health Organization says that a pandemic is the worldwide spread of a new disease. A pandemic is when an epidemic spreads between countries, per David Jones, MD, Ph.D.
Even in times of crisis like this, HIPAA-covered entities must follow all reasonable safeguards to protect the privacy of their patients who may be infected with the disease concerned, in this case, we are talking about the novel coronavirus. However, the HIPAA Privacy rule does offer some accommodation in such cases.
Special considerations in the HIPAA Privacy Rule
The HIPAA Privacy Rule provides special considerations in the event of an epidemic or pandemic. As a covered entity or business associate, you should be aware of these individual cases. The Privacy Rule recognizes that public health authorities need some access to protected health information (PHI) to ensure public health and safety in the event of an emergency such as the one we are experiencing with the novel coronavirus. Covered entities are authorized to disclose PHI, without a patient’s consent, if that PHI disclosure is needed to treat the patient or even to treat another patient. Business Associates may also be able to disclose necessary information on behalf of the covered entity, as long as this disclosure is permitted within the parameters of the Business Associate Agreement.
What can you share with public health or disaster relief organizations?
The Department of Health and Human Services has stated explicitly that covered entities are permitted to disclose needed PHI to the Centers for Disease Control and Prevention (CDC) or a state or local health department when this disclosure is expected to help prevent or control a disease. A hospital may, for instance, report periodically to the CDC about patients potentially or actually exposed to the novel coronavirus. Similarly, they may also share protected health information with disaster relief organizations like the American Red Cross, that are authorized to coordinate relief effort and notify family members or others involved in the patient’s care.
Disclosing PHI to other individuals, family, and friends
Interestingly, covered entities are also permitted to disclose the minimum necessary PHI to persons at risk of contracting or spreading the disease, as long as another law allows the covered entity to make such a notification.
Sharing needed PHI with family and friends is also allowed as long it is done in the best interests of the patient concerned. Here the doctor or another healthcare provider must exercise his or her best professional judgment and make the decision appropriately.
What can you tell the media?
Protected health information that can identify a patient should typically not be disclosed to the media without the written authorization of the patient. There are definite exceptions for certain limited cases here, for which you may refer to the HIPAA Privacy Rule for guidance.
The summary is: In the event of an epidemic or pandemic, such as what the Novel Coronavirus is likely to be, follow HIPAA Privacy precautions carefully. Disclose only the minimum necessary Protected Health Information (PHI) to public health organizations and friends and family of the affected patient, and only to the extent that this disclosure helps treat the patient or other patients, and is in the patient’s best interests. Make sure that all your employees and health care workers are trained and well informed to make any decision using their best judgment.