Updated March 30, 2020
Read our COVID-19 and HIPAA blog for more up-to-date information, through March 30.
Life gets more complicated in healthcare.
In February the Office for Civil Rights (OCR) issued a bulletin to remind covered entities and their business associates how patient information may be shared under the HIPAA Privacy Rule “in an outbreak of infectious disease or other emergency situation” but also to underscore “that the protections of the Privacy Rule are not set aside during an emergency.” February 2020 OCR Bulletin
Things are moving so rapidly that even the February Bulletin is out of date. It mentions that persons who have traveled from China are high risk, but doesn’t mention Italy, Iran or South Korea, all of which have been added in recent days. The most up-to-date information on the Coronavirus in the U.S. from the Centers for Disease Control and Prevention (CDC) can be found here.
On March 3 there were 68 reported cases in the U.S., in 15 states.
As of March 9, there are 566 cases in 36 states. (sources CDC.gov and the New York Times)
This blog summarizes the February Bulletin, and also reviews the waivers that apply when a Declaration is made by HHS and the President (as of today’s date this has not occurred for COVID-19).
HIPAA is Not Suspended During Emergencies
We have written about public health emergencies in relation to hurricanes every September for the past three years, most recently in September, 2019
HIPAA remains in effect. However, waivers will kick in if the President declares an emergency or disaster, and the HHS Secretary declares a public health emergency. HHS will then waive sanctions and penalties against a covered entity hospital that does not comply with certain HIPAA provisions.
As of March 9, 2020, HHS’ declaration appears not to have triggered the waivers in a specific geographic area, but that may change. Unless the U.S. Department of Health and Human Services (HHS) issues new rules now, in 2020, the guidance remains the same.
HIPAA Mentions Emergencies Even Without the Declaration and Waivers
The February Bulletin describes how patient information may be shared in an outbreak of infectious disease or other emergency situation.
Here is a synopsis of key HIPAA provisions from the Bulletin:
Sharing Patient Information
For Treatment
Information may be disclosed as necessary, without individual authorization, to treat the patient; including coordination, consultation and referral between or among providers.
Public Health Activities
Covered entities may disclose PHI without individual authorization:
- To a Public Health Authority at the federal, state, tribal or local level for the purpose of preventing or controlling disease. “For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).”
- At the direction of a Public Health Authority, to a foreign government agency that is collaborating with the public health authority.
- To persons at risk of contracting a disease or condition, provided state law permits such a disclosure to prevent spread of the disease or condition.
Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
A covered entity may share protected health information with a patient’s family, friends, or other persons identified by the patient as involved in their care. A covered entity also may share patient information as necessary to identify, locate, and notify family, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include notifying the police, the press, or the public at large.
- Ideally, the covered entity should get verbal permission from individuals or otherwise be able to infer that the patient does not object; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.
- For patients who are unconscious or incapacitated: a health care provider may share relevant information about the patient with family or friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. For example, a provider may determine that it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally could not share unrelated information about the patient’s medical history without permission.
- In addition, a covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care – of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.
Disclosures to Prevent a Serious and Imminent Threat
Providers may share with anyone (family, friends, law enforcement) as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and ethical codes of conduct.
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification
In general, this is not permitted without authorization. But, “where a patient has not objected to or restricted the release of protected health information, a covered hospital or other health care facility may, upon request, disclose information about a particular patient by name, may release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). Covered entities may also disclose information if the patient is incapacitated, and if the disclosure is believed to be in the best interest of the patient and consistent with any prior expressed preferences of the patient.”
Minimum Necessary
The minimum necessary rule still applies. Limit the information disclosed to the minimum necessary to accomplish the purpose. Although this rule does not apply to disclosures for purposes of treatment, see above.
Safeguarding Patient Information
Even during an emergency, covered entities and business associates should continue to take steps to guard against intentional or unintentional uses and disclosures not permitted by HIPAA.
HIPAA Only Applies to Covered Entities and Business Associates
The HIPAA Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis). There may be other state or federal rules that apply, for example, state privacy laws or the Americans with Disabilities Act (ADA), or ethical codes of conduct.
A business associate of a covered entity (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.
If the Declaration is Made, How the HIPAA Waivers Work
The waiver rules are simple.
During a declared public health emergency HHS will waive sanctions and penalties against a hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- the requirement to honor a request to opt out of the facility directory
- the requirement to distribute a notice of privacy practices
- the patient’s right to request privacy restrictions
- the patient’s right to request confidential communications
The HIPAA public health emergency waivers only apply:
(1) in the emergency area and for the emergency period identified in the public health emergency declaration;
(2) to hospitals that have instituted a disaster protocol; and
(3) for up to 72 hours from the time the hospital implements its disaster protocol.
When the public health emergency declaration ends, the waivers end, and a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not passed since implementation of its disaster protocol.
Contingency Planning under HIPAA
HIPAA requires contingency planning as part of Risk Analysis-Risk Management requirements. Now is a good time to review your contingency plan, or create one if you don’t have it already. For example, do you have a communications strategy to talk with patients and the media? Have you reviewed HIPAA basics with your workforce, including how to talk with family and friends, and when to obtain an authorization? Do you have extra supplies, a staffing calendar in the event employees become ill and must stay home?
Stay in Touch with The HIPAA E-Tool®
If you are wondering how to manage HIPAA in these difficult times, let us know. You don’t need to be a customer. We care about the healthcare community, here in the United States and across the world and are happy to answer questions if we can.
Image from Elizabeth R. Fischer/National Institute of Allergy and Infectious Diseases’ Rocky Mountain Laboratories