HHS Addresses HIPAA Privacy and COVID-19 | Practical Law

HHS Addresses HIPAA Privacy and COVID-19 | Practical Law

The Department of Health and Human Services (HHS) has issued guidance addressing how requirements under the Privacy Rule of the Health Insurance Portability and Accountability of 1996 (HIPAA) apply regarding COVID-19 (the disease that results from SARS-CoV-2 (2019 Novel Coronavirus)). Among other topics, the guidance addresses coronavirus-related situations in which HIPAA covered entities may disclose individuals' protected health information (PHI).

HHS Addresses HIPAA Privacy and COVID-19

Practical Law Legal Update w-024-2904 (Approx. 8 pages)

HHS Addresses HIPAA Privacy and COVID-19

by Practical Law Employee Benefits & Executive Compensation
The Department of Health and Human Services (HHS) has issued guidance addressing how requirements under the Privacy Rule of the Health Insurance Portability and Accountability of 1996 (HIPAA) apply regarding COVID-19 (the disease that results from SARS-CoV-2 (2019 Novel Coronavirus)). Among other topics, the guidance addresses coronavirus-related situations in which HIPAA covered entities may disclose individuals' protected health information (PHI).
In an information bulletin (February 2020), HHS's Office for Civil Rights (OCR) has addressed how HIPAA covered entities (CEs) and business associates (BAs) can comply with the HIPAA Privacy Rule in responding to the US outbreak of COVID-19 (the disease caused by SARS-CoV-2 (2019 Novel Coronavirus)). For more information, see:

Disclosing Individuals' Protected Health Information

HHS's guidance addresses several coronavirus-related circumstances in which CEs may disclose individuals' protected health information (PHI) without obtaining the individuals' authorizations. For HIPAA purposes, CEs are health plans, health care clearinghouses, and health care providers that conduct one or more covered health care transactions electronically (for example, transmitting health care claims to a health plan) (see Practice Notes, HIPAA Privacy Rule: Entities Subject to the Privacy Rule and HIPAA Electronic Transactions Under the ACA).

Treatment

HIPAA's Privacy Rule permits CEs to disclose individuals' PHI, without their authorization, as necessary to treat the individual or a different individual (see Practice Note, HIPAA Privacy Rule: Disclosures for Treatment, Payment, and Health Care Operations and Standard Document, HIPAA Authorization to Use and Disclose PHI). For this purpose, treatment includes:
  • Coordinating or managing health care and related services by one or more health care providers.
  • Referring individuals for treatment.

Public Health Activities

The guidance addresses several public health activities for which the Privacy Rule allows CEs to disclose an individual's PHI without obtaining the individual's authorization (see Practice Note, HIPAA Privacy Rule: Authorizations). These permitted disclosures recognize the legitimate need for public health authorities (and other officials responsible for ensuring public health and safety) to access PHI to carry out their public health duties.
Under these rules, CEs may disclose individuals' PHI (without the individuals' authorization) to certain public health authorities, including:
(45 C.F.R. § 164.501 (Definitions).)
Activities that fall under this provision include:
  • The reporting of diseases, injuries, and vital events (for example, births or deaths).
  • Conducting public health surveillance, investigations, or interventions.
In the coronavirus context, for example, CEs may disclose PHI to the CDC on an ongoing basis to disclose prior or prospective cases of individuals who are exposed to – or suspected or confirmed to have – coronavirus.
The HHS guidance addresses two other situations in which PHI may be disclosed without an individual's authorization. First, these disclosures may be made, at the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority (45 C.F.R. § 164.512(b)(1)(i)). Second, the disclosures may be made to individuals who are at risk of contracting or spreading a disease or condition if other law (for example, state law) authorizes the CE to notify the individual as necessary for conducting public health interventions or investigations (45 C.F.R. § 164.512(b)(1)(iv)).

Disclosures to Individuals Involved in Patient Care; Preventing Serious Threats

The Privacy Rule also permits CEs to share PHI with an individual-patient's family members, relatives, friends, or other individuals who are identified by the patient as being involved in the patient's care. In addition, CEs may share a patient's PHI if necessary to identify, locate, and notify family members, guardians, or other persons who are responsible for the patient's care of the patient's location, general condition, or death. (45 C.F.R. § 164.510(b).) Additional safeguards apply for patients who are unconscious or incapacitated.
CEs that are health care providers may share a patient's PHI with anyone as necessary to prevent or mitigate a serious and imminent threat to the health and safety of an individual or the public, consistent with:
  • Applicable law (for example, state statutes, regulations, or case law).
  • The provider's ethical conduct standards.
Under this provision, providers may disclose a patient's health information to anyone who is in a position to prevent or reduce a serious and imminent threat (for example, family, friends, caregivers, and law enforcement) without the patient's permission.

Disclosures to the Media or the Public Generally Prohibited

As a general rule, a CE may not:
  • Affirmatively report to the media or the public at large, without a patient's authorization, about an identifiable patient.
  • Disclose to the media or the public specific information about an identifiable patient's treatment (for example, specific tests, test results, or details of a patient's illness).
According to HHS, however, if a patient does not object to or restrict the release of PHI, a covered hospital or other health care facility may, upon request:
  • Disclose information about a particular patient by name.
  • Release limited facility directory information to acknowledge that an individual is a patient at the facility.
  • Provide basic, general information about the patient's condition (for example, whether the individual is critical or stable, deceased, or treated and released).

Minimum Necessary Standard

In most cases, the Privacy Rule requires CEs to make reasonable efforts to restrict information disclosed to the "minimum necessary" to accomplish the intended purpose (45 C.F.R. § 164.502(b); see Practice Note, HIPAA Privacy Rule: Minimum Necessary Standard). However, the Privacy Rule's minimum necessary requirements do not apply to disclosures to health providers for treatment purposes.
If reasonable under the circumstances, CEs may rely on a public health authority's representations that requested information is the minimum necessary for the purpose (see Public Health Activities). For example, a CE may rely on CDC's representations that PHI requested by the agency about all individuals exposed to or suspected or confirmed to have coronavirus is the minimum necessary for the public health purpose. Internally, CEs should continue to apply their HIPAA policies and procedures to limit access to PHI to only those workforce members who need it to carry out their duties (see Standard Documents, HIPAA Business Associate Agreement: Guidance on "Minimum Necessary" Information and HIPAA Training for Group Health Plans: Presentation Materials).

Preventing Impermissible Uses or Disclosures of PHI; HIPAA Security Rule

In emergency situations, CEs must continue to employ reasonable safeguards to protect individuals' PHI from impermissible uses and disclosures – whether intended or unintended (see Practice Note, HIPAA Privacy Rule: Permitted and Prohibited Uses and Disclosures of Health Information). In addition, CEs and their BAs must apply the HIPAA Security Rule's administrative, physical, and technical safeguards to electronic PHI (see Practice Note, HIPAA Security Rule: Safeguards and Related Organizational and Document Requirements).

Scope of HIPAA's Applicability: Business Associates and Subcontractors

The Privacy Rule governs disclosures made by employees and other workforce members of both CEs and their BAs. In general, BAs are entities (other than the CE's workforce members) that perform functions or activities on behalf of – or provide certain services to – a CE that involve creating, receiving, maintaining, or transmitting PHI (see Standard Document, HIPAA Business Associate Agreement). BAs also include subcontractors that create, receive, maintain, or transmit PHI on a BA's behalf (see Practice Note, HIPAA Privacy Rule: Subcontractors Are Business Associates and Legal Update, Subcontractor Liability Under the HIPAA Final Rules). Importantly, the Privacy Rule does not apply to disclosures made by entities or other persons who are not CEs or BAs (although these entities may voluntarily comply with the Privacy Rule).
A CE's BA (including a BA that is a subcontractor) may make disclosures that are permitted by the Privacy Rule, for example:

Practical Impact

Largely directed at health providers, HHS's guidance addresses Privacy Rule provisions permitting the use and disclosure of PHI (without individual authorizations) for public health activities that we don't hear much about other than during infectious disease outbreaks. HHS issued similar guidance during the Ebola outbreak of November 2014 (see Practice Note, HIPAA Privacy Rule: Authorizations).
In another COVID-19 development, the Trump Administration's HHS issued guidance that restricted and suspended entry into the US, as immigrants or nonimmigrants, of all aliens who were physically present within Iran during the 14-day before their entry or attempted entry into the US.