Amidst the novel coronavirus (COVID-19) outbreak, the Secretary of the U.S. Department of Health and Human Services (HHS), Alex M. Azar, took steps on March 15, 2020, to waive sanctions and penalties related to certain provisions of the HIPAA Privacy Rule (the “Waiver”). However, the HIPAA Privacy Rule is not suspended, and the Waiver only applies: (1) in the emergency area identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
The Waiver pertains to the following provisions of the HIPAA Privacy Rule:
- The requirement to obtain a patient's agreement to speak with family members or friends involved in the patient’s care under 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory under 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices under 45 CFR 164.520.
- The patient's right to request privacy restrictions under 45 CFR 164.522(a).
- The patient's right to request confidential communications under 45 CFR 164.522(b).
Simultaneously, HHS has posted a bulletin to provide guidance to providers that are facing the unique challenges imposed by COVID-19. Even without the Waiver, HHS reminds providers that the HIPAA Privacy Rule allows protected health information (PHI) to be shared under a number of different circumstances that are pertinent to the outbreak.
Example of How HIPAA Works in an Emergency Like the Coronavirus Outbreak
To demonstrate how the Privacy Rule and Waiver provisions work in real life, let’s look at an example: A patient at a hospital reports contact with a confirmed COVID-19 diagnosis. How can this information be shared?
With the Patient’s Family and/or Close Contacts?
HIPAA would allow a provider to disclose information about the affected patient’s visit to family members and close contacts in a limited number of circumstances. 45 CFR 164.510(b) would permit a provider to: (i) disclose information about the visit to a family member, other relative, or a close personal friend of the affected patient if such individuals are identified by the patient and the disclosure of such PHI is directly relevant to such person's involvement with the patient's health care or payment related to the individual's health care; or (ii) share information regarding the visit that is necessary to identify, locate, and notify a family member, a personal representative of the patient, or another person responsible for the care of the patient, of the patient’s location, general condition, or death.
Providers should first obtain the patient’s consent or reasonably infer, based on the circumstances, that the patient does not object. If this is not possible due to the patient’s incapacity or an emergency circumstance, or if the patient is not present, a provider could still make the disclosure if the provider determines, in its professional judgment, that the disclosure is in the best interests of the patient.
In addition, HIPAA would allow a provider to make such a disclosure to family, friends, and caregivers if they are in danger of contracting COVID-19 from the patient. The provider, in good faith, would need to determine that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of the individual. See 45 CFR 164.512(j). Moreover, such disclosure must be consistent with applicable law, which includes state law. As a result, we would encourage providers to first determine whether applicable state law would permit the disclosure in such an event.
With the Provider’s Staff?
It may be permissible for a provider to notify staff potentially at risk from the affected patient’s visit. HIPAA permits a covered entity to disclose PHI to persons at risk of contracting or spreading a disease if another law, such as state law, authorizes the disclosure. See 45 CFR 164.512.(b)(1)(iv). Some states have duty-to-warn laws applicable to health care providers that permit the disclosure of health information as necessary to avert an immediate risk of harm to an identifiable individual or individuals. Note that such state laws would only permit limited notifications to at-risk staff, such as staff who treated or had personal contact with the patient. Broad, enterprise-wide notice would be inappropriate.
In addition, 45 CFR 164.512(j) would permit a provider to make a disclosure to staff members potentially at risk from the affected patient’s visit in order to prevent or lessen a serious and imminent threat to the health or safety of such staff members. However, as noted above, the disclosure would need to be consistent with applicable law, including state law.
With Other Patients?
A blanket disclosure to all patients of the provider would not be permitted under the HIPAA Privacy Rule. However, as discussed above, if the provider, in good faith, determined that the disclosure would be necessary to prevent or lessen a serious and imminent threat to the health or safety of another patient, the disclosure could be permitted if it was also permitted under state or other applicable law. For instance, if a provider’s other patients came into contact with the affected patient in the waiting room, the provider could disclose to those certain patients that they are potentially at risk of contracting COVID-19 due to the contact. However, such a determination should be made on an individual, case-by-case basis considering the complete legal context – not just HIPAA.
With a Public Health Authority?
It is likely that providers may be asked by public health authorities, which includes the CDC or state or local health departments, to report COVID-19 information, including suspected or confirmed cases. Such a disclosure would be permitted under 45 CFR § 164.512(b)(1)(i), which allows providers to disclose PHI to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, including, the reporting of disease, and the conduct of public health surveillance, public health investigations, and public health interventions.
With the Media?
Affirmative disclosures to the media are discouraged under HIPAA and generally cannot occur without patient authorization. HIPAA does permit a provider to disclose “facility directory information” to those, including the media, who inquire about a specific patient. Facility directory information is limited information, including an acknowledgement that the patient is at the facility and general condition information (critical, stable, discharged, etc.). Patients ordinarily have the right to prevent a covered entity from disclosing directory information to anyone, including the media. However, as discussed above, HHS has waived sanctions and penalties in light of the COVID-19 emergency for covered entities that do not honor a patient’s refusal to provide directory information. This doesn’t mean that covered entities should affirmatively engage the media. Rather, it means that if circumstances warrant, a provider may disclose directory information to the media, notwithstanding a patient’s objections.
In assessing any uses and disclosures of PHI during the national emergency, including communications under the Waiver, it’s important to remember that the entire rule hasn’t been waived. For example, HIPAA’s minimum necessary standard still applies, so when a disclosure is permitted, in most cases (not including treatment, for example) regulated entities should endeavor to disclose no more than the minimum necessary information for the purpose of the communication. If public disclosure of a confirmed infection is necessary for tracking COVID-19 disease incidence, that information may be disclosed, but the identity of the individual may not be necessary in all circumstances. OCR’s Waiver guidance reminds regulated entities that they are permitted to rely on representations of public health authorities (like CDC) about what information is necessary for a permitted disclosure.
Additionally, HIPAA security standards have not been waived. In fact, they become more important in times of emergency like this. As service delivery is reconfigured, new exposures and security risks emerge. For example, as employees begin telecommuting, PHI and ePHI may face new avenues of exposure. In keeping with their obligation to update a security risk analysis in the event of an operational change, regulated entities should consider new risks to ePHI and mitigation strategies. The disruption of the COVID-19 also provides opportunities for cyber-criminals, so now is a great time to reinforce phishing education.
We are continuing to monitor this developing situation and will report further updates here.