HIPAA-Permitted Disclosures on the Frontlines
Mar 26 2020
Over the last several weeks, the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), the agency responsible for HIPAA enforcement, issued a number of bulletins, notices, and similar guidance materials to assist HIPAA covered healthcare providers and entities during the COVID-19 public health emergency. One such notice provided some leniency for healthcare providers utilizing telemedicine technology, indicating that OCR would not enforce against providers attempting (in good faith) to provide telehealth services using technology platforms that may not otherwise meet all HIPAA requirements. The most recent of OCR’s guidance materials was a March 24, 2020 notice reminding those responding to the COVID-19 pandemic that protected health information (“PHI”) can be communicated without a patient’s authorization in responding to the pandemic.
The HIPAA Privacy Rule permits a covered healthcare provider or entity to disclose the PHI of a person infected with, or exposed to, COVID-19, to law enforcement, first responders like paramedics, and public health authorities (e.g., state and local public health departments) without the individual’s authorization, in certain circumstances. This means that the identity of the person who tested positive, the fact that they tested positive, where person is receiving treatment or self-isolating, how long ago the person was infected and if the person is symptomatic or not, among other relevant details, could be disclosed, subject to HIPAA’s parameters below. OCR’s notice serves as a reminder that while HIPAA’s patient privacy protections apply in a pandemic, those protections should be balanced against countervailing needs to protect first responders and the general public in the face of a pandemic.
Here are examples of when disclosure of PHI by a covered entity (who will frequently be healthcare providers in the COVID-19 context) is permissible under HIPAA whether or not an individual affected with the virus has consented to sharing of his/her PHI:
It is possible that a number of these exceptions will overlap and apply at the same time in some circumstances.
OCR further reminds covered entities that: notwithstanding the unprecedented events in connection with COVID-19, HIPAA still applies. In other words, except when required by law, or for treatment disclosures, a covered entity must still make reasonable efforts to limit the information disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose of the disclosure. Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.
This recent notice from OCR follows up on a February 2020 bulletin addressing these topics as well. OCR’s prior bulletin also highlighted that HIPAA permits a covered entity to share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief, for the purpose of, for example, notifying family or others involved in the patient’s care. A covered entity is not required to obtain patient authorization to share their PHI if doing so would interfere with the disaster relief organization’s ability to respond to the emergency.
Given the escalation of COVID-19 cases in the U.S. and their spread throughout the country, reminders from OCR are likely to continue. While OCR seems to provide some breathing room for healthcare providers during this current crisis, the regulator has not provided a complete waiver of HIPAA obligations. Further, given that state Attorneys General can also bring HIPAA enforcement actions and many of the necessary (less common) disclosures required during this pandemic intersect with state medical records and communicable disease laws, it is important that healthcare entities continue to act in good faith to protect patient privacy whenever possible while also protecting the broader population and other healthcare employees from further exposure. Looking ahead to consider how an entity’s actions will reflect when the emergency period passes and the dust begins to settle is a good barometer to evaluate the reasonableness and justification for how healthcare providers use and disclose PHI during this unprecedented crisis.
This is a high-level summary of recent OCR HIPAA-related focus in light of COVID-19, and does not substitute for carefully reviewing OCR’s notice and the HIPAA regulations detailing what is/is not permitted. Please contact Tara Cho or Nadia Aram, the primary authors of this alert, or the Womble Bond Dickinson attorney with whom you normally work, if you have questions about this alert or your organization’s HIPAA compliance.