HHS Addresses HIPAA Privacy and Security Rule Issues in Combatting Coronavirus

By: Rex Iacurci, Lexis Practice Advisor

This article discusses recent guidance by the Department of Health and Human Services’ Office for Civil Rights (OCR) addressing how entities subject to the Health Insurance Protection and Accountability Act (HIPAA) and their business associates must continue to comply with HIPAA’s privacy and security rules when sharing protected health information (PHI) as part of a response to an outbreak of infectious disease or other emergency situation such as the worldwide spread of novel coronavirus (COVID-19).

THE HIPAA PRIVACY RULE PROTECTS THE PRIVACY OF AN individual’s PHI but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary, including to treat a patient, to protect the public health, and for other critical purposes.¹

Background

The use and disclosure of PHI is strictly regulated by HIPAA’s Privacy Rule so that covered entities (like a group health plan, health service provider, or hospital) and their business associates (service providers that handle PHI on their behalf) may only use or disclose PHI as permitted or required by the rule. (The rules described for covered entities in this article are also applicable to their business associates). In addition, except as noted below, they must limit the use or disclosure (or requests for use or disclosure) to the minimum amount necessary to accomplish the intended purpose.²

This minimum necessary standard does not apply to:

• Disclosures requested or authorized by the individual
• Disclosures required by law or to comply with the HIPAA Privacy Rule –or– 
• Uses or disclosures by a health care provider in order to treat the individual³

OCR Bulletin

The OCR Bulletin reminds covered entities and their business associates of their continuing obligation to observe the HIPAA privacy rules in the face of the coronavirus outbreak and identifies existing exceptions, particularly emergency exceptions to the HIPAA Privacy Rule, as discussed below. Sharing PHI The OCR Bulletin discusses several relevant permitted disclosures that may be pertinent to the coronavirus outbreak: (1) for treatment, (2) for certain public health activities, (3) to the individual’s family, friends, and others for the individual’s care, and (4) for the prevention of a serious and imminent threat. PHI may also be disclosed if the individual consents in writing.

For Treatment

Under the HIPAA Privacy Rule, covered entities may disclose PHI, without an individual’s authorization, to the extent necessary to treat the individual or to treat a different individual. For this purpose, treatment includes:

• The coordination or management of health care and related services by one or more health care providers and others 
• Consultations between health care providers –and–
• Referring patients for treatment⁴

This exception is common in order to comprehensively treat a patient. In the context of an illness, the patient’s primary care physician may share information with the patient’s pulmonary care specialist, who together share information from a radiology office.

For Public Health Activities

The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to PHI that is necessary to carry out their public health mission. Therefore, the HIPAA Privacy Rule permits covered entities to disclose needed PHI in the following circumstances:

• To a public health authority, such as the Centers for Disease Control and Prevention (CDC) or a state or local health department, authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. This would include, for example, gathering the information for:
  • The reporting of disease or injury
  • Reporting vital events, such as births or deaths –and–
  • Conducting public health surveillance, investigations, or interventions⁵
• At the direction of a public health authority to a foreign government agency that is acting in collaboration with the public health authority⁶
• To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations⁷

Disclosures to Family, Friends, and Others Involved in an Individual’s Care

A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include where necessary to notify family members and others, the police, the press, or the public at large.⁸

The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

For patients who are unconscious or incapacitated, a health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interest of the patient. For example, a provider may determine that it is in the best interest of an elderly patient to share relevant information with the patient’s adult child, but generally could not share unrelated information about the patient’s medical history without permission.

Disclosures to Disaster Relief Organizations

In addition, a covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.⁹

Disclosures to Prevent a Serious and Imminent Threat

Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public—consistent with applicable law and the provider’s standards of ethical conduct.¹⁰ Providers may disclose an individual’s PHI to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without the individual’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.¹¹

Disclosures to the Media Generally Prohibited

Except in the limited circumstances, disclosing PHI to the media or the public at large, such as information about an individual’s specific tests, test results, or details of their illness, is prohibited without the individual’s (or authorized personal representative’s) written authorization.¹² Two exceptions noted in the OCR Bulletin are:

• Hospital exception. Where a patient has not objected to or restricted the release of PHI, a covered hospital or other health care facility may, upon request (such as by a patient’s visitors):
  • Disclose information about a particular patient by name
  • Release limited facility directory information to acknowledge an individual is a patient at the facility –and– 
  • Provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released)
• Incapacity exception. Covered entities may disclose information about an incapacitated patient if the disclosure is believed to be in the best interest of the patient and consistent with any prior expressed preferences of the patient.¹³

Comply with Minimum Necessary Standard

For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the minimum necessary to accomplish the purpose. As noted above, this minimum necessary requirement does not apply to disclosures to health care providers for treatment purposes or where the individual has authorized the disclosure, but it otherwise applies to any of the special rules permitting PHI disclosure discussed.

Covered entities may rely on reasonable representations from a public health authority or other public official that the requested information they request is the minimum necessary for the purpose. For example, a covered entity may rely on representations from the CDC that the CDC’s request for PHI about all of the covered entity’s patients exposed to or suspected or confirmed to have coronavirus is the minimum necessary for the public health purpose.

In addition, internally, covered entities should continue to apply their role-based access policies to limit access to PHI to only those workforce members who need it to carry out their duties.¹⁴

Looking Ahead

The OCR Bulletin reminds covered entities that existing HIPAA regulations can be flexible enough to allow for the necessary sharing of PHI in emergency situations so long as the applicable conditions are satisfied and subject to other applicable HIPAA rules. Even in a potential health crisis, like the coronavirus outbreak, covered entities must not only adhere to the minimum necessary standard, but also continue to implement reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. Further, covered entities must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information (ePHI).

Rex Iacurci is a Content Manager for Lexis Practice Advisor^® in its Labor & Employment module, specializing in Employee Benefits & Executive Compensation. Prior to joining LexisNexis, Rex was an editor/author at Thomson Reuters. Previously, Rex worked as senior benefits counsel for Eversource Energy, a New England utility, and as senior tax counsel for Chevron Corporation (formerly Texaco Inc.). Rex is a CPA and began his career in public accounting and benefits and compensation consulting.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Employee Benefits & Executive Compensation > Health and Welfare Plans > HIPAA > Articles

Related Content

1. The guidance is available at OCR, Bulletin: HIPAA Privacy and Novel Coronavirus (OCR Bulletin). 2. 45 C.F.R. §§ 164.502(b), 164.514(d). 3. 45 C.F.R. § 164.502(b)(2). 4. See 45 C.F.R. §§ 164.502(a)(1)(ii), 164.506(c), and 164.501 (definition of treatment). 5. 45 C.F.R. § 164.512(b)(1)(i). The OCR Bulletin notes that a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have coronavirus. 6. Id. 7. 45 C.F.R. § 164.512(b)(1)(iv). 8. See 45 C.F.R. §.164.510(b). 9. See 45 C.F.R. §.164.510(b)(4). 10. See 45 C.F.R. § 164.512(j). 11. Id. 12. See 45 C.F.R. § 164.508. 13. 45 C.F.R. § 164.510(a). 14. See 45 C.F.R. §§ 164.502(b), 164.514(d).