Healthcare Law Alert: COVID-19 and HIPAA: What You Need to Know
The Novel Coronavirus disease (COVID-19) has posed significant challenges for healthcare providers and the public on numerous fronts. Information is shifting on a daily basis, and providers are breathless trying to keep pace with managing patient care while also keeping abreast of relevant news and legal developments. Of the many challenges to healthcare providers presented by COVID-19 is how to remain HIPAA-compliant in the face of this “novel” national emergency. Two recent developments are noteworthy.
On January 31, 2020, the Secretary of the U.S. Department of Health & Human Services (DHHS), Alex M. Azar, declared a public health emergency for the U.S. for 2019 Novel Coronavirus. On March 13, 2020, President Trump issued a Proclamation on Declaring a National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak. In response, the DHHS has issued a COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a National Public Health Emergency, summarized below.
Limited Waiver of HIPAA Sanctions and Penalties During Public Health Emergency
Effective March 15, 2020, the DHHS has waived sanctions and penalties against HIPAA-covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:
- The requirement to obtain the patient’s agreement to speak with family members and friends involved in the patient’s care (45 CFR 164.510(b))
- The requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
- The requirement to distribute a notice of privacy practices (45 CFR 164.520)
- The patient’s right to request privacy restrictions (45 CFR 164.522(a))
- The patient’s right to request confidential communications (45 CFR 164.522(b))
The waiver applies only:
- In the emergency area identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol, and
- For up to 72 hours from the time the hospital implements its disaster protocol.
When the Presidential or DHHS Secretarial declaration terminates, HIPAA-covered hospitals must return to full HIPAA compliance, even if 72 hours have not elapsed since implementation of the hospital’s disaster protocol.
HIPAA Privacy and Disclosures in Emergency Situations
In the Bulletin, the DHHS also reminded HIPAA-covered healthcare providers that, even without a waiver, the HIPAA Privacy Rule permits patient information to be shared for certain purposes under certain circumstances, including:
For Treatment Purposes – Covered healthcare providers do not need to obtain written authorization from the patient in order to disclose protected health information (PHI) as necessary to treat the patient, including coordination of the patient’s care among the patient’s healthcare providers.
Public Health Activities – Covered healthcare providers may disclose PHI, without obtaining written authorization from the patient:
- To the CDC, state or local health department or other public health authority, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. For example, a covered entity may disclose to the CDC PHI on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19.
- At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
- To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
Disclosures to Family, Friends, and Others Involved in the Patient’s Care and for Notification Purposes – Covered healthcare providers may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. The provider should get verbal permission from the patient or otherwise be able to reasonably infer that the patient does not object, when possible; if the patient is incapacitated or not available, providers may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
Disclosures to Prevent or Lessen a Serious and Imminent Threat – Covered healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.
For all disclosures other than for treatment purposes, providers should be reminded of HIPAA’s “minimum necessary” standard, which requires the minimum amount of information be disclosed as needed for the purpose of the disclosure, and that reasonable safeguards be employed to prevent impermissible disclosures.