Coronavirus: Patient privacy implications
Health care providers, health plans and others monitoring the recent coronavirus outbreak should be aware of how patient information can and cannot be shared and used under applicable laws, including the HIPAA privacy rule, in the event of an outbreak or other emergency in their facilities or involving their patients. In February 2020, the HHS Office for Civil Rights (OCR) issued HIPAA Privacy and Novel Coronavirus, a bulletin outlining what actions HIPAA permits in this type of situation.
HIPAA permits covered entities (and their business associates) to disclose PHI without a patient’s (or their personal representative’s) authorization only for specified purposes, including:
Treatment: For the patient’s treatment or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.
Public health activities:
- Public health authorities – To a public health authority (CDC, or a state or local health department), or Indian tribe authorized by law, or entities or persons authorized by them to collect or receive PHI to prevent or control disease, injury or disability. For example, a covered entity can disclose PHI to the CDC on an ongoing basis as necessary to report all prior and prospective cases of patients exposed to, or suspected or confirmed to have coronavirus.
- Foreign governments – To a foreign government agency that is acting in collaboration with a public health authority.
- At-risk persons – To persons at risk of contracting or spreading a disease or condition, if other laws, such as state law, authorize the covered entity to notify them to prevent or control the spread of disease or carry out public health interventions or investigations.
Family, friends and others involved in care and notifications: To a patient’s relatives and friends identified by the patient as involved in their care, or to disaster relief organizations authorized by law or by their charters to assist in disaster relief efforts, as necessary for the purpose of identifying, locating and notifying family members, guardians or others responsible for the patient of the patient’s location, condition or death. This may include notifying the press or public at large. Verbal permission from patients should be obtained if possible. If a patient is incapacitated or unavailable, covered health care providers may use professional judgment to determine if sharing PHI with others involved in the patient’s care is in the patient’s best interest.
To prevent a serious or imminent threat: With anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, as consistent with other applicable state or federal laws and the provider’s standards of ethical conduct. HIPAA defers to the judgment of health professionals to determine the nature and severity of the threat and permits them to disclose PHI to anyone in a position to prevent or mitigate a serious and imminent threat, including caregivers and law enforcement, without a patient’s permission.
Media or others not involved in care/notifications: To the media in limited circumstances, such as notifying the media to identify, locate and notify family members, guardians or others involved in a patient’s care as described above. Otherwise, HIPAA does not permit covered entities to report to the media or the public at large about a patient or their PHI. If a patient has not objected or restricted the release of their PHI, a covered entity health care provider may, if requested, disclose specific information about a patient, including the patient’s name, that they are a patient at the health care provider and basic information about the patient’s condition. If the patient is incapacitated, covered entities can also disclose PHI if they believe the disclosure is in the patient’s best interest and is consistent with the prior expressed preferences of the patient.
Minimum necessary and other safeguards: Generally, a covered entity must make reasonable efforts to limit the PHI they disclose to the “minimum necessary” information to accomplish the purpose. The minimum necessary restriction does not apply to disclosures for treatment, however. In addition, reasonably requested information from a public health agency is deemed to meet the minimum necessary standard, such as a request from the CDC for PHI about all patients exposed to or confirmed to have coronavirus. When responding to a request from a public health agency, covered entities should continue to apply their role-based access policies to limit access to PHI to only those workforce members who need access to carry out their roles for the covered entity.
Even in an emergency situation, such as the outbreak of a virus, covered entities must continue to implement reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures, as well as the administrative, physical and technical safeguards of the HIPAA security rule to electronic PHI.Download PDF