Human coronaviruses are common throughout the world, and commonly cause mild to moderate illness in people worldwide. The Centers for Disease Control and Prevention (CDC) is closely monitoring an outbreak of respiratory illness caused by a novel (new) coronavirus, referred to as the 2019 Novel Coronavirus (2019-nCoV). Current symptoms reported for patients with 2019-nCoV have included mild to severe respiratory illness with fever, cough, and difficulty breathing. Fears about contracting the virus could lead to impermissible “snooping” and sharing of information by healthcare employees. Coronavirus and HIPAA concerns are discussed below.
Coronavirus and HIPAA Concerns: Access to PHI
Healthcare organizations are likely to be asked questions about coronavirus by patients and the public. Covered entities should take this opportunity to remind their workforce that employees may not access or disclose patient records for an unauthorized purpose.
Curiosity may tempt employees to look up a patient’s medical record to see if the record includes evidence of any discussions a patient may have had with a provider about coronavirus. Under HIPAA, however, employees may only access or disclose patient records when specifically authorized to do so as part of their job, or when required to do so under law. Employees should especially resist this temptation with respect to patients who have sought treatment for mild to severe respiratory illness.
Coronavirus and HIPAA Concerns: Public Health Emergency
To date, the Department of Health of Human Services has not declared a public health emergency with respect to coronavirus. The 2019 Novel Coronavirus was identified in Wuhan, Hubei Province, China. To date, there are over a thousand confirmed cases in China, including cases outside Wuhan City. Calls for travel bans from China and suspension of commercial flights between the U.S. and China have been unsuccessful.
If a public health emergency is declared, covered entities must understand what their obligations with respect to use and disclosure of PHI are.
Under the HIPAA public health exemption (which applies, among other reasons, when a public health emergency has been declared), covered entities may, under the HIPAA Privacy Rule, disclose PHI, without written patient authorization, to public health authorities legally authorized to receive it, for the purposes of preventing or controlling disease, injury, or disability. Disease, injury, and disability prevention and control measures and activities include reporting of disease or injury, and reporting of vital events, such as deaths.
Under the HIPAA public health exemption, a covered entity may also disclose written patient authorization, disclose PHI to conduct public health surveillance, investigations, or interventions.
Covered entities may also, if directed to do so by a public health authority, disclose PHI to a foreign government agency acting in collaboration with that authority. Covered entities that ARE public authorities may use and disclose PHI for:
- The purpose of preventing or controlling disease;
- The purpose of preventing or controlling injury;
- The purpose of preventing or controlling disability.