<img height="1" width="1" src="https://www.facebook.com/tr?id=156746741685952&amp;ev=PageView &amp;noscript=1">
Show all

Does the HIPAA Privacy Rule apply to the Novel Coronavirus (COVID-19)?

The Novel Coronavirus is officially a global pandemic. The World Health Organization says that a pandemic is the worldwide spread of a new disease. A pandemic is when an epidemic spreads between countries, per David Jones, MD, Ph.D.

Even in times of crisis like this, HIPAA-covered entities must follow all reasonable safeguards to protect the privacy of their patients who may be infected with the disease concerned, in this case, we are talking about the novel coronavirus.  Any patient information disclosure should always follow the minimum necessary standard. However, the HIPAA Privacy rule does offer some accommodation in such cases.

Special considerations in the HIPAA Privacy Rule

The HIPAA Privacy Rule provides special considerations in the event of an epidemic or pandemic. As a covered entity or business associate, you should be aware of these individual cases. The Privacy Rule recognizes that public health authorities need some access to protected health information (PHI) to ensure public health and safety in the event of an emergency such as the one we are experiencing with the novel coronavirus. Covered entities are authorized to disclose PHI, without a patient’s consent, if that PHI disclosure is needed to treat the patient or even to treat another patient. Disclosure of patient information is also permitted if it prevents or lessens a serious and imminent threat.

Business Associates may also be able to disclose necessary information on behalf of the covered entity, as long as this disclosure is permitted within the parameters of the Business Associate Agreement.    The Department of Health and Human Services has also published a notification that they will exercise their enforcement discretion, that is, they will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule if PHI is used or disclosed for public health related activities during the COVID-19 emergency. 

What can you share with public health or disaster relief organizations?

The Department of Health and Human Services has stated explicitly that covered entities are permitted to disclose needed PHI to the Centers for Disease Control and Prevention (CDC) or a state or local health department when this disclosure is expected to help prevent or control a disease. A hospital may, for instance, report periodically to the CDC about patients potentially or actually exposed to the novel coronavirus. Similarly, they may also share protected health information with disaster relief organizations like the American Red Cross, that are authorized to coordinate relief effort and notify family members or others involved in the patient’s care.

Disclosing PHI to other individuals, family, and friends

Interestingly, covered entities are also permitted to disclose the minimum necessary PHI to persons at risk of contracting or spreading the disease, as long as another law allows the covered entity to make such a notification. 

Sharing needed PHI with family and friends is also allowed as long it is done in the best interests of the patient concerned. Here the doctor or another healthcare provider must exercise his or her best professional judgment and make the decision appropriately.

Get your FREE HIPAA Regulations and Checklist!

What can you tell the media?

Protected health information that can identify a patient should typically not be disclosed to the media without the written authorization of the patient. Individuals being treated for COVID-19 are entitled to their privacy and should not have to find their PHI on TV unless they have provided explicit written authorization. There are definite exceptions for certain limited cases here, for which you may refer to the HIPAA Privacy Rule for guidance.

In conclusion

The summary is: In the event of an epidemic or pandemic, such as what the Novel Coronavirus is likely to be, follow HIPAA Privacy precautions carefully. Disclose only the minimum necessary Protected Health Information (PHI) to public health organizations and friends and family of the affected patient, and only to the extent that this disclosure helps treat the patient or other patients, and is in the patient’s best interests. Make sure that all your employees and health care workers are trained and well informed to make any decision using their best judgment.

Read the full bulletin on the subject from the Department of Health and Human Services here.

Read the full notification of enforcement decision from the Department of Health and Human Services here.

Visit OCR's new HIPAA and COVID-19 web page here.


This blog post was originally published on March 17, 2020 and has since been updated.  Last updated on April 24, 2020.

Rema Deo
Rema Deo

As CEO and Managing Director of 24By7Security, Inc., Rema is a highly experienced and credentialed information security professional. Among her certifications are PCI Qualified Security Assessor (QSA) from PCI SSC, Health Care Information Security & Privacy Practitioner (HCISPP) from (ISC)2, Certified Information Security Manager (CISM), and Certified Information Security Auditor (CISA) from ISACA. She also holds a certificate in Cybersecurity: Technology, Application, and Policy from the Massachusetts Institute of Technology, and Certified Data Privacy Practitioner (CDPP) from Network Intelligence. She earned her MBA from Symbiosis Institute of Business Management in Pune, India, and her Bachelor of Commerce degree from the University of Bombay. Be sure to follow the 24By7Security Blog for valuable insights from Rema and her colleagues.

Related posts

January, 23 2024
August, 22 2023
June, 6 2023

Comments are closed.

Malware and COVID-19: What You Need to Know
Telehealth, Video Tech Tools and HIPAA Compliance
Subscribe to our Blog!