Over the last several weeks, the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), the agency responsible for HIPAA enforcement, issued a number of bulletins, notices, and similar guidance materials to assist HIPAA covered healthcare providers and entities during the COVID-19 public health emergency. One such notice provided some leniency for healthcare providers utilizing telemedicine technology, indicating that OCR would not enforce against providers attempting (in good faith) to provide telehealth services using technology platforms that may not otherwise meet all HIPAA requirements. The most recent of OCR’s guidance materials was a March 24, 2020 notice reminding those responding to the COVID-19 pandemic that protected health information (“PHI”) can be communicated without a patient’s authorization in responding to the pandemic.
The HIPAA Privacy Rule permits a covered healthcare provider or entity to disclose the PHI of a person infected with, or exposed to, COVID-19, to law enforcement, first responders like paramedics, and public health authorities (e.g., state and local public health departments) without the individual’s authorization, in certain circumstances. This means that the identity of the person who tested positive, the fact that they tested positive, where person is receiving treatment or self-isolating, how long ago the person was infected and if the person is symptomatic or not, among other relevant details, could be disclosed, subject to HIPAA’s parameters below. OCR’s notice serves as a reminder that while HIPAA’s patient privacy protections apply in a pandemic, those protections should be balanced against countervailing needs to protect first responders and the general public in the face of a pandemic.
Here are examples of when disclosure of PHI by a covered entity (who will frequently be healthcare providers in the COVID-19 context) is permissible under HIPAA whether or not an individual affected with the virus has consented to sharing of his/her PHI:
- When needed to provide treatment: For example, a skilled nursing facility could tell the paramedics transporting a resident to the ER for treatment of symptoms suggesting infection whether or not the individual has tested positive for COVID-19.
- When first responders may be at risk of infection: For example, a local or state health department, assuming it was done in accordance with its state’s laws, would be allowed under HIPAA to disclose PHI to a police officer or other first responder who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.
- When necessary to prevent or lessen a serious and imminent threat to public health and safety: For example, HIPAA would permit a covered entity to disclose PHI to anyone in a position to prevent or lessen the serious or imminent threat to health and safety. This would include personnel whose job is to protect public health and safety, such as police, fire fighters, child welfare workers, and others. This could also include family members of a patient. The standard to be able to make a disclosure in such a case is that the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. HIPAA defers to the professional judgment of healthcare providers in determining the nature and severity of a threat.
- When required by law and when needed to prevent or control the spread of disease (disclosure to a public health authority) – these are two different exceptions: An example that meets both of these exceptions to needing an individual’s authorization to disclose their PHI under HIPAA is a hospital reporting cases of COVID-19 treated at its facility in accordance with state laws regarding notification to public health officials of suspected cases of infectious disease.
It is possible that a number of these exceptions will overlap and apply at the same time in some circumstances.
OCR further reminds covered entities that: notwithstanding the unprecedented events in connection with COVID-19, HIPAA still applies. In other words, except when required by law, or for treatment disclosures, a covered entity must still make reasonable efforts to limit the information disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose of the disclosure. Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.
This recent notice from OCR follows up on a February 2020 bulletin addressing these topics as well. OCR’s prior bulletin also highlighted that HIPAA permits a covered entity to share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief, for the purpose of, for example, notifying family or others involved in the patient’s care. A covered entity is not required to obtain patient authorization to share their PHI if doing so would interfere with the disaster relief organization’s ability to respond to the emergency.
Given the escalation of COVID-19 cases in the U.S. and their spread throughout the country, reminders from OCR are likely to continue. While OCR seems to provide some breathing room for healthcare providers during this current crisis, the regulator has not provided a complete waiver of HIPAA obligations. Further, given that state Attorneys General can also bring HIPAA enforcement actions and many of the necessary (less common) disclosures required during this pandemic intersect with state medical records and communicable disease laws, it is important that healthcare entities continue to act in good faith to protect patient privacy whenever possible while also protecting the broader population and other healthcare employees from further exposure. Looking ahead to consider how an entity’s actions will reflect when the emergency period passes and the dust begins to settle is a good barometer to evaluate the reasonableness and justification for how healthcare providers use and disclose PHI during this unprecedented crisis.
This is a high-level summary of recent OCR HIPAA-related focus in light of COVID-19, and does not substitute for carefully reviewing OCR’s notice and the HIPAA regulations detailing what is/is not permitted. Please contact Tara Cho or Nadia Aram, the primary authors of this alert, or the Womble Bond Dickinson attorney with whom you normally work, if you have questions about this alert or your organization’s HIPAA compliance.