Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).
To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, has issued guidance. First, it published a bulletin, reminding us that the privacy rules of HIPAA continue to apply in an emergency while identifying when the rules allow for the responsible use and disclosure of protected health information in the case of a serious contagion. OCR supplemented that guidance with a second bulletin and an announcement that provide relief from certain requirements to hospitals and telemedicine providers.
The First Bulletin: Basic HIPAA Guidance
The threshold question under HIPAA is whether HIPAA applies at all. It is important to remember that HIPAA’s privacy rules extend only to covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates. If an employee notifies his or her employer that that the employee is self-quarantining because he or she has tested positive for the virus, the employer would not be subject to HIPAA’s requirements with regard to that information. But if an employer finds out that an employee has the virus from the employer’s health plan, that information would be subject to HIPAA.
Even if HIPAA does not apply, its requirements may serve as a useful touchstone for how to handle personally identifiable information in difficult situations.
Under HIPAA, an individual’s protected health information (PHI) may be disclosed without the individual’s authorization in various circumstances, including:
- to providers for the treatment of patients;
- to appropriate authorities engaged in public health activities;
- to individuals at risk for contracting or spreading the virus (if permitted by other applicable laws);
- to an individual’s friends and family members involved in the individual’s care (with the individual’s verbal consent or, often, tacit permission);
- to a person in a position to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public (consistent with other applicable laws and standards for ethical conduct).
Thus, information may be disclosed to the Center for Disease Control and to state and local health departments that are collecting information about the spread of the virus, and HIPAA will not prevent reasonable and appropriate action to alert individuals who have been exposed to the virus.
However, covered entities still need to be mindful of HIPAA’s requirements to safeguard PHI from inappropriate uses and disclosures. Covered entities and business associates must continue to take care to use and disclose only the minimum amount of PHI necessary and to verify the identity and, where appropriate, authority of individuals making inquiries. In view of the attention that the virus is receiving, particular care should be taken in communications with the media.
The Second Bulletin: Relief for Hospitals
Effective March 15, certain hospitals will not be subject to penalty or sanction under HIPAA if they fail to comply with the following HIPAA requirements:
- obtaining a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- honoring a request to opt out of the facility directory. See 45 CFR 164.510(a).
- distributing a notice of privacy practices. See 45 CFR 164.520.
- addressing a patient’s request for privacy restrictions. See 45 CFR 164.522(a).
- addressing a patient’s request for confidential communications. See 45 CFR 164.522(b).
This waiver is limited in scope and duration. It extends only to hospitals that have instituted a disaster protocol and that are located in an emergency area identified in the HHS Secretary’s January 31, 2020 public health emergency declaration. The waiver extends only up to 72 hours from the time a hospital implements its disaster protocol.
The Announcement: Relief for Telemedicine Providers
Effective March 17, OCR will not impose penalties on telemedicine providers who, in good faith, communicate with patients through any non-public facing communication product. The policy applies to video and audio products and to communications about all telemedicine issues, not only issues pertaining to COVID-19. Thus, a provider could video chat with a patient about a sprained ankle on Apple FaceTime, Facebook Messenger video chats, Google Hangouts video, Skype, or a similar service. Providers should enable all available encryption and privacy modes when using these applications and are encouraged to notify patients of that the use of such applications introduce certain privacy risks.
The relief does not extend to public facing applications, such as Facebook.
Providers may seek out services that aim to be HIPAA-compliant from vendors that will enter into business associate agreements. However, OCR will not impose penalties for “the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
Absent a specific exception, individuals and entities that are subject to HIPAA must comply with its privacy and security requirements. Those requirements include provisions that allow for the proper use and disclosure of protected health information in a number of ways relevant to the current public health emergency. OCR has provided enforcement relief to telemedicine providers and certain hospitals for a limited range of HIPAA violations. Covered entities and business associates under HIPAA should watch for additional guidance, and should be mindful that the current state of emergency will end at some, as yet undefined, date in the future and with it, the specific relief offered by OCR will also likely end.