During a public health emergency, it can be confusing to know what information can be shared about individuals who have contracted COVID-19 and those suspected of exposure. To help organizations navigate the complexities of sharing information, we want to walk through what disclosures are permitted.
Before we jump in, it is important to note that during a public health emergency, such as COVID-19, the HIPAA Security and Privacy Rules still apply. The Security rule helps ensure organizations are safeguarding PHI and the Privacy Rule ensures appropriate disclosure. During times of emergencies, the Secretary of the HHS can issue a waiver in areas that are affected. On March 16, 2020 the HHS Office for Civil Rights (OCR) declared a public health emergency. In response to that announcement they also issued the COVID-19 and HIPAA limited waiver of HIPAA sanctions and penalties during the emergency.
HIPAA Bulletin March 2020
Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care 45 CFR 164.510(b)
- The requirement to honor a request to opt out of the facility directory 45 CFR 164.510(a)
- The requirement to distribute a notice of privacy practices 45 CFR 164.520
- The patient’s right to request privacy restrictions 45 CFR 164.522(a)
- The patient’s right to request confidential communications 45 CFR 164.522(b)
The above waiver applies to the identified public emergency (COVID-19) and to hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospitals implement its disaster protocol.
Even without a waiver, the Privacy Rule always allows patient information to be shared for the following purposes and conditions:
Are we allowed to disclose PHI for treatment purposes?
YES. Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient or to treat a different patient. Including the coordination or management of healthcare by one or more healthcare provider or treatment referral. See 45 CFR 164.502(a)(1)(ii).
Are we allowed to disclose PHI to public health authorities i.e. CDC, local, or state health departments?
YES. Disclosure to a publish health authority such as the CDC, state or local health department authorized to collect or receive information for the purposes of controlling the disease, injury or disability. See 45 CFR 164.501 and 164.512(b)(1)(i).
Are we allowed to provide information to family, friends and others involved in an individual’s care?
YES. Covered entities may share PHI with a patient’s family, relatives, friends identified by the patient as involved in their care. See 45 CFR 164.510(b). The covered entity should get verbal permission from the individuals or otherwise be able to reasonably infer that the patient does not object. If the individual is incapacitated, or not available or it is an emergency, the covered entity may, in the exercise of professional judgement, share information if doing so is in the patient’s best interest and is directly relevant to the person’s involvement.
Are we allowed to disclose PHI to help prevent or lessen a serious and imminent threat?
YES. Healthcare providers may share patient information with anyone as necessary to prevent or lessen a threat to the health and safety of a person or the public. See 45 CFR 164.512(j). The disclosure should be to anyone who is able to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement.
Are we allowed to disclose to the media or others not involved in the care?
ONLY WITH WRITTEN AUTHORIZATION. In general, affirmative reporting to the media or public at large about an identifiable patient, or disclosure of specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization. See 45 CFR 164.508.
Even with the above disclosures allowed, it is important to remember that covered entities must make every effort to limit the information disclosed to the “minimum necessary.” Alex m. Azar, Secretary of the HHS, announced, “A covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose. In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”
HIPAA One covers all 89 of the HIPAA audit protocol including 42 CFR Part 2 and the 19 breach notification federal requirements in our privacy and breach risk analysis. It also interjects state-specific laws more stringent than federal privacy laws and includes policies and procedures for any gaps identified.
In this unique situation, we want to provide you with the resources and help you need to set your organization up for success. It is important to respect patient health and safety during emergency situations and unique situations we are in today.