The Novel Coronavirus is officially a global pandemic. The World Health Organization says that a pandemic is the worldwide spread of a new disease. A pandemic is when an epidemic spreads between countries, per David Jones, MD, Ph.D.
Even in times of crisis like this, HIPAA-covered entities must follow all reasonable safeguards to protect the privacy of their patients who may be infected with the disease concerned, in this case, we are talking about the novel coronavirus. Any patient information disclosure should always follow the minimum necessary standard. However, the HIPAA Privacy rule does offer some accommodation in such cases.
The HIPAA Privacy Rule provides special considerations in the event of an epidemic or pandemic. As a covered entity or business associate, you should be aware of these individual cases. The Privacy Rule recognizes that public health authorities need some access to protected health information (PHI) to ensure public health and safety in the event of an emergency such as the one we are experiencing with the novel coronavirus. Covered entities are authorized to disclose PHI, without a patient’s consent, if that PHI disclosure is needed to treat the patient or even to treat another patient. Disclosure of patient information is also permitted if it prevents or lessens a serious and imminent threat.
Business Associates may also be able to disclose necessary information on behalf of the covered entity, as long as this disclosure is permitted within the parameters of the Business Associate Agreement. The Department of Health and Human Services has also published a notification that they will exercise their enforcement discretion, that is, they will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule if PHI is used or disclosed for public health related activities during the COVID-19 emergency.
The Department of Health and Human Services has stated explicitly that covered entities are permitted to disclose needed PHI to the Centers for Disease Control and Prevention (CDC) or a state or local health department when this disclosure is expected to help prevent or control a disease. A hospital may, for instance, report periodically to the CDC about patients potentially or actually exposed to the novel coronavirus. Similarly, they may also share protected health information with disaster relief organizations like the American Red Cross, that are authorized to coordinate relief effort and notify family members or others involved in the patient’s care.
Interestingly, covered entities are also permitted to disclose the minimum necessary PHI to persons at risk of contracting or spreading the disease, as long as another law allows the covered entity to make such a notification.
Sharing needed PHI with family and friends is also allowed as long it is done in the best interests of the patient concerned. Here the doctor or another healthcare provider must exercise his or her best professional judgment and make the decision appropriately.
Protected health information that can identify a patient should typically not be disclosed to the media without the written authorization of the patient. Individuals being treated for COVID-19 are entitled to their privacy and should not have to find their PHI on TV unless they have provided explicit written authorization. There are definite exceptions for certain limited cases here, for which you may refer to the HIPAA Privacy Rule for guidance.
The summary is: In the event of an epidemic or pandemic, such as what the Novel Coronavirus is likely to be, follow HIPAA Privacy precautions carefully. Disclose only the minimum necessary Protected Health Information (PHI) to public health organizations and friends and family of the affected patient, and only to the extent that this disclosure helps treat the patient or other patients, and is in the patient’s best interests. Make sure that all your employees and health care workers are trained and well informed to make any decision using their best judgment.
Read the full bulletin on the subject from the Department of Health and Human Services here.
Visit OCR's new HIPAA and COVID-19 web page here.
This blog post was originally published on March 17, 2020 and has since been updated. Last updated on April 24, 2020.