Coronavirus: HIPAA Compliance IssuesHHS Alert Describes Permitted PHI Disclosures During Outbreak
As healthcare providers around the world prepare to treat patients afflicted with the novel coronavirus, U.S. regulators are reminding organizations about their HIPAA compliance duties involving patient privacy, including permitted data disclosures for public health activities.
In a new bulletin, the Department of Health and Human Services' Office for Civil Rights reminds covered entities and business associates about the "balance" under HIPAA in protecting patient privacy while ensuring appropriate uses and disclosures of patients' protected health information "to protect the nation's public health and for other critical purposes."
OCR reminds healthcare organizations that they may disclose needed PHI without individuals' authorization "to treat the patient or to treat a different patient;" for public health activities, including providing information to the Centers for Disease Control and Prevention, or state or local health departments; and also to a foreign government agency "at the direction of a public health authority."
Covered entities are also permitted to disclose PHI without an individual's authorization "to persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations," OCR says.
Healthcare organizations also can make certain disclosures to a patient's family, friends and others involved in the individual's care, OCR notes.
"For patients who are unconscious or incapacitated, a healthcare provider may share relevant information about the patient with family, friends or others involved in the patient's care or payment for care if the healthcare provider determines, based on professional judgment, that doing so is in the best interests of the patient."
For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is the "minimum necessary" to accomplish the purpose, OCR points out.
In addition, business associates also "may make disclosures permitted by the [HIPAA] Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement," according to OCR.
Commenting on the advice, privacy attorney Iliana Peters of the law firm Polsinelli says: "The point of this type of bulletin is two-fold: It's important to understand that the HIPAA rules cannot be ignored in an outbreak or other public emergency situation, and second, that there are actually several permissions in the HIPAA Privacy Rule that do allow sharing of information that HIPAA entities can take advantage of during such a situation.
"Often, HIPAA covered entities are worried about sharing information with family members or friends of patients, or with public health agencies, but, as highlighted here, the minimum necessary amount of information can - and arguably should - be shared for those purposes, as provided for and permitted by the HIPAA Privacy Rule."
Peters points out that sharing of patient-specific information with the news media or on social media, "particularly in response to news stories or social media posts affecting them," is not allowed without the patient's HIPAA-compliant authorization. As a result, she says, covered entities "should ensure that their staff understand the limitations of their interactions with news media or social media, especially given OCR settlements on both these topics."
Protecting privacy for coronavirus issues is an international effort.
"While public health agencies across nations may commonly coordinate, my impression is that it is uncommon for a healthcare provider to coordinate on public health internationally," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"Accordingly, it's very helpful that OCR reminded the industry that the [HIPAA] Privacy Rule specifically permits disclosures to foreign government agencies at the direction of a U.S. public health authority."
Healthcare organizations need to keep in mind the potential HIPAA privacy violations that can occur during a disease outbreak - or even when dealing with a suspected case, Greene says.
"If the information security officer becomes symptomatic and can't come into work, is there a knowledgeable backup in place?"
—Adam Greene, Davis Wright Tremaine
"Hospitals should consider anyone with symptoms of coronavirus as a potential VIP, where there may be a lot of curiosity about the patient's medical record," he says. "Some additional monitoring of access may be warranted."
Also, healthcare providers would be wise to reassess their business continuity plans in case of an outbreak, he adds.
"It is definitely worth thinking about how a disease outbreak may affect privacy and information security," Greene says. "For example, if the information security officer becomes symptomatic and can't come into work, is there a knowledgeable backup in place?"
Regina Phelps, founder of Emergency Management & Safety Solutions, notes that if the fatality rate in coronavirus cases increases, "then I think you will see a lot of widespread impact," including on the global business supply chain.