There is still a lot of confusion over whether HIPAA applies during a pandemic. It does.
But these are challenging times, with doctors, EMS workers, public health officials, the media, and family and friends trying to grapple with managing COVID-19. Priorities have shifted as healthcare workers are under siege treating surges of patients with a novel disease. The media wants to know about how healthcare institutions are managing, and public health officials are thrust into the front line as they gather data, issue guidance, and work with their communities to slow the spread.
How do we maintain privacy? Should we? Does it still matter?
Privacy is the Backbone of HIPAA and Quality Care
HIPAA, which stands for the Health Information Portability and Accountability Act, is mainly about privacy. The HIPAA Privacy Rule says that Protected Health Information, or PHI (with a few exceptions) should not be disclosed or used by covered entities or business associates without a patient’s authorization. Today, a big chunk of HIPAA is also devoted to patient information security. As the internet grew, and electronic communication became the norm since HIPAA was first enacted, the HIPAA Security Rule was passed.
Together, the Privacy and Security Rules create the steps to protect patient privacy. The Breach Notification Rule kicks in when privacy is breached, and says how breaches of PHI should be handled – how to investigate, how to notify affected patients, the U.S. Department of Health and Human Services (HHS) and in some cases, the media. All the HIPAA rules work together and all must be complied with. At the heart of all of it is maintaining patient privacy.
With or without HIPAA requirements, patients today still expect that health care institutions and the workers involved in their care will maintain their privacy. They trust that the hospital, doctors, nurses, and others will not disclose information the patient shares, or the patient’s condition. Quality care depends on this trust.
Problematic Uses and Disclosures of Protected Health Information
Unfortunately, early in the pandemic, in much of March through May, the media reported stories from inside of hospital corridors and emergency rooms. The media are not covered entities, so they were not violating HIPAA, but the healthcare institutions (covered entities) that allowed media reporters inside patient care areas were not following HIPAA rules to prevent disclosure of patient information. We saw faces, names and charts, in newsfeeds day after day. A patient’s face, their i.d. number, their name, are all considered PHI and should not be disclosed to anyone who is not involved in the patient’s treatment. And it is not okay to film first and obtain authorization afterward.
Contact tracing is essential to help slow the transmission of COVID-19. HIPAA permits public health authorities (and their staff) to collect patient information from patients who have the disease, as this allows them to notify the infected person’s “contacts” who might need to quarantine, and to watch for symptoms. Those who are contacted will want to know might have infected them, but HIPAA does not permit this disclosure.
There are apps under development that help trace contact exposures, but to date, most of them have privacy and security flaws that have not been solved satisfactorily. In other countries without HIPAA laws, like South Korea, Japan and Singapore, the apps have worked well, but at the sacrifice of privacy.
Permitted Uses and Disclosures of Protected Health Information
NOTE about the Minimum Necessary standard: in all cases where patient information may be used or disclosed without the patient’s authorization, HIPAA requires that it be only the minimum necessary information to accomplish the purpose.
Three Permitted Uses Upfront
Covered entities may use or disclose PHI, without authorization, for the purposes of treatment, payment, or health care operations. The first two are self explanatory. The third is not as broad as it sounds – “health care operations” in general means administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These include quality assessment, performance review, training, business planning, management and administration.
Covered entities may disclose PHI without a patient’s authorization:
- To a Public Health Authority at the federal, state, tribal or local level for the purpose of preventing or controlling disease. A February Bulletin from the Office for Civil Rights which enforces HIPAA explained this existing HIPAA concept this way: “For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).”
- At the direction of a Public Health Authority, to a foreign government agency that is collaborating with the public health authority.
- To persons at risk of contracting a disease or condition, provided state law permits such a disclosure to prevent spread of the disease or condition.
Under normal HIPAA rules, first responders are permitted to use and disclose patient information in certain situations. The topic is covered in more detail in our April 1, 2020 blog, COVID-19 and First Responders but the highlights are:
- When the Disclosure is Needed for Treatment.
- For example, a skilled nursing facility may discuss the PHI of patient who has COVID-19 to EMS personnel who will provide treatment during transport
- When First Responders May be at Risk of Infection.
- A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law to notify persons as part of a public health intervention.
Since the pandemic, other rules have been slightly relaxed, to help first responders protect themselves from infection. For example:
- EMS Dispatch and 911 Call Centers are Permitted to Disclose PHI
- A hospital or public health department may provide a list of names and addresses of all persons known to have tested positive, or received treatment, for COVID-19 to an EMS dispatch center for use on a per-call basis. The EMS dispatch is allowed to use the list to inform personnel who are responding to any particular call so that they can take extra precautions or use personal protective equipment (PPE). The list should not be shared or published.
- A 911 call center may ask screening questions of callers, e.g., their temperature, whether they have a cough or difficulty breathing, to identify potential COVID-19. If the call center is a HIPAA covered entity, the call center is permitted to inform a police officer being dispatched to the scene of the name, address, and screening results of the persons who may be encountered so that the officer can take extra precautions or use PPE to lessen the risk of exposure to COVID-19, even if the subject of the dispatch is for a non-medical situation.
Family and Friends
Under normal HIPAA rules, a covered entity may share protected health information with a patient’s family, friends, or other persons identified by the patient as involved in their care. A covered entity also may share patient information as necessary to identify, locate, and notify family, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include notifying the police, the press, or the public at large. Some common questions and answers about communicating with family and friends can be found here.
Follow HIPAA to Maintain Privacy and Security
Although the COVID-19 pandemic has changed our lives in ways we could not have imagined a year ago, and although it continues to threaten the health of people in the United States and the economy, the basic concept of privacy protection has not changed, either in the law or the social contract we have with one another. People still value their privacy, and respecting and maintaining privacy is the bedrock of quality patient care. The pandemic has not changed that.