Although COVID-19 is not the first pandemic to hit the United States, the virus has thrown the country into uncharted territory as federal and state governments and agencies struggle to contain the virus’s quick-moving spread. As in past outbreaks, on February 3, 2020, the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) released a special guidance bulletin titled “HIPAA Privacy and Novel Coronavirus” (the bulletin). The bulletin both describes the ways that patient information can be shared during a national health crisis and in emergency situations, while reminding covered entities and business associates that HIPAA’s privacy protections remain in effect during such events. While the goal of HIPAA is to protect the privacy of protected health information (PHI), it does contain provisions that allow information to be shared for treatment purposes and in public health emergencies.
Disclosures for Treatment Purposes
A long-time staple of the HIPAA privacy rule is that covered entities may disclose PHI without patient authorization for treatment purposes, which includes the management of health care by several providers and consultation between providers, as well as the referral of patients for treatment.
Disclosures for Public Health Activities
Under HIPAA, covered entities can share PHI with a public health authority, such as a state health department or the National Centers for Disease Control and Prevention (CDC), that is authorized by law to collect or receive such information to prevent or control disease or injury. This includes disclosing PHI on an ongoing basis as needed to report all prior and prospective cases of patients exposed to, or suspected or confirmed to been infected with, COVID-19.
Disclosures to Families, Friends, and Others involved in the Patient’s Care
HIPAA permits a covered entity to share PHI, such as whether a patient has contracted COVID-19, to certain friends, family members, and other individuals involved in the care of that person.
Disclosures to Prevent a Serious and Imminent Threat
A covered entity may disclose PHI as necessary to prevent a serious and imminent threat to a person or the public at large, as long as such disclosure is consistent with applicable law (federal or state) and the provider’s standards of ethical conduct. It is recommended that a covered entity immediately engage legal counsel before making a determination to disclose based on a potential serious and immediate threat.
Minimum Necessary Standard
Covered entities must remember that they are still required to limit such uses and disclosures to the minimum necessary information to accomplish the purpose of the disclosure. In its bulletin, OCR also reminded covered entities that they must continue to implement appropriate safeguards to protect patient PHI against intentional or unintentional uses or disclosures. Particularly during a stressful time such as a pandemic, employees may be more tempted to “snoop” in certain patients’ records or inappropriately share information concerning patients who may be infected — even to the media, which should definitely be prohibited. Covered entities should emphasize to their staff that privacy is still a top priority, but necessary information may be shared as mentioned above to help contain and combat the COVID-19 pandemic.