Our Employment, Labor & Benefits colleagues recently blogged on the coronavirus and its ramifications for employers impacted by the outbreak. As this is still an active outbreak with cases increasing within the United States, it's a good time to review how HIPAA applies in a public health emergency, including its restrictions and flexibility in this type of situation. Accordingly, last week, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a helpful bulletin on how the HIPAA Privacy Rule comes into play with the coronavirus outbreak and other public health emergencies.
The most important thing to remember is that basic requirements of HIPAA still apply even in a public health emergency. The HIPAA Privacy Rule permits covered entities to use and disclose protected health information (PHI) without a patient’s authorization for treatment, payment, and health care operations. Just because a public health emergency exists does not mean that covered entities can freely disclose PHI for other purposes. Disclosure of PHI to the media or others not involved in the patient’s care is generally not permissible. However, in a public health emergency, HIPAA permits covered entities to disclose PHI without a patient's authorization to the following categories of individuals and entities:
- Foreign government authorities (at the direction of public health authorities);
- Persons at risk;
- Family, friends, police, disaster relief organizations, etc. who are involved in the patient’s care; and
- Anyone, if it would lessen or prevent a serious and imminent threat to the health and safety of the public at large or an individual person.
Health care providers must also still uphold the “minimum necessary” standard when treating patients with the coronavirus, which means that a covered entity must make a reasonable effort to disclose only the “minimum necessary” PHI to accomplish the purpose. When a public health authority asks a covered entity to disclose information to it for the purpose of infectious disease reporting, a covered entity can rely on the government's representations (when the reliance is reasonable) that the request meets the “minimum necessary” standard to meet the authority’s public health purpose.
As public health agencies are still trying to contain the coronavirus in the U.S. and elsewhere, it is imperative for covered entities and business associates alike to comply with HIPAA while simultaneously balancing a public health emergency. Although HIPAA has taken account for these types of situations, the HIPAA rulebook cannot be set aside and disregarded during this time. You can find OCR's bulletin here.