The HIPAA Privacy Rule is not suspended during a public health or other emergency. This means that covered entities must still generally comply with the provisions of the HIPAA Privacy Rule during emergencies, whether natural or manmade. Covered entities still must comply with the HIPAA Privacy Rule.
However, the Secretary of the Department of Health and Human Services waived certain provisions (and the associated penalties for noncompliance) of the HIPAA Privacy Rule, effective March 15, 2020, as a result of coronavirus. Two laws give the Secretary this power: The Project BioShield Act of 2004, and Section 1135 of the Social Security Act.
When May the Secretary Waive Provisions of the HIPAA Privacy Rule?
The Secretary may exercise this Privacy Rule waiver if two conditions have been met:
- The President declares an emergency or disaster; and
- The Secretary of HHS declares a public health emergency.
In the case of COVID-19, both conditions have been met.
Under the Privacy Rule waiver, the Secretary is waiving sanctions and penalties against a covered entity hospital that does not comply with certain provisions of the HIPAA Privacy Rule. These provisions include:
- The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- The requirement to honor a request to opt out of a covered entity’s facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
When and How Does the Waiver Apply?
The waiver applies:
- The emergency area identified in the public health emergency declaration.
- To hospitals that have instituted a disaster protocol.
- For up to 72 hours from the time the hospital implements its disaster protocol.
When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for a patient still under its care, even if 72 hours have not elapsed since implementation of its disaster protocol.
Regardless of the activation of the coronavirus emergency waiver, the HIPAA Privacy Rule still permits disclosures for treatment, operations and payment purposes, and still permits certain disclosures to disaster relief organizations. For instance, the HIPAA Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location.
When Can PHI be Disclosed in an Emergency?
PHI can be disclosed by hospitals and medical offices, without having to obtain written patient authorization, if the disclosure is needed for treatment, care coordination, patient referrals, and consults with other healthcare providers. Covered entities, if requested, notify public health authorities when a patient becomes infected with COVID-19. This is because such information is needed to protect public health and safety. Healthcare providers may choose to share PHI with public health authorities, such as the CDC, state health departments, and local health departments. Whether a public health authority requires the information about an infection, or whether a public health authority chooses to submit it, that PHI may be shared with the public health authority without obtaining written patient authorization.
PHI may also be disclosed to prevent and lessen a serious and imminent threat of harm to a specific person or the public at large, provided no state law is to the contrary. Such disclosure does not require written patient authorization. Rather, the disclosure is left to the healthcare professional’s professional judgment as to the nature and severity of the threat of harm.
Can Information be Disclosed to Individuals Involved in a Coronavirus Patient’s Care?
Under the HIPAA Privacy rule, disclosures of PHI are permitted to friends, family members and caregivers involved in patient care. HIPAA covered entities may also share PHI if necessary to identify or locate a coronavirus patient, or to notify personal representatives and others responsible for the patient’s care about where the patient is, what their general condition is, and whether they have died. This sharing of information may be with law enforcement, the media, or even the public at large, as is necessary to identify or locate a patient. A provider should attempt to obtain a patient’s verbal consent whenever possible. A healthcare professional must otherwise be able to reasonably infer, using professional judgement, that the patient does not object to a PHI disclosure that is determined to be in the patient’s best interests.
Can Coronavirus PHI be Shared with Disaster Relief Organizations?
Coronavirus PHI may be shared with disaster relief organizations, such as the Red Cross, that are authorized either by charter or law to assist in disaster relief efforts. Such efforts include coordinating notification of individuals involved in a patient’s care about the patient’s location, condition, or death.
Does the HIPAA Minimum Necessary Standard Apply in Emergency Situations?
The HIPAA Minimum Necessary Standard applies to all disclosures of PHI other than those made by healthcare providers for treatment purpose. Under this standard, PHI that is disclosed must be restricted to the minimum necessary information to achieve the emergency purpose for which the information is being disclosed.
When information is requested by a public health authority or official, a covered entities can rely on representations from the public health authority or official that the PHI being sought is the minimum necessary amount, so long as that reliance is reasonable under the circumstances.
Disclosures About COVID-19 Patients to the Media
If a media entity requests that a covered entity provide information about a patient by name, the covered entity may disclose the general condition of the patient, and their location in the healthcare facility. This is so, provided the patient has denied consent to such disclosure, the covered entity may describe the status of a patient, in general terms such as: undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased. No other information – including patient names and other identifying information – may be disclosed, unless the patient has first consented to such disclosure in writing.
Can Non-Covered Entities, Such as Employers, Disclose PHI?
HIPAA itself does not apply to organizations that are not covered entities or business associates. Such organizations include employers. Healthcare communications between employer and employee are not protected by HIPAA. While HIPAA does not restrict such communications, other laws might. The ADA generally restricts employers’ ability to ask employees about medical conditions. That is, employers may not ask medical questions likely to disclose a disability.
However, the ADA permits an employer to require that an employee disclose health information with respect to whether the employee poses a direct threat to the health or safety of himself/herself or others. So, an employer can require an employee to confidentially disclose test results to the employer. An employer CANNOT, though, ask an employee if that employee has a health condition (like a compromised immune system) that would be affected by coronavirus. This is because that question is likely to disclose a disability. Note that coronavirus itself is not considered a disability.
Under the ADA, employers may also let employees know that a case of coronavirus has been confirmed in the workplace – provided the employee’s name is not revealed. Also, during a pandemic, an employer may inquire if someone has recently traveled abroad. The employer can do this because the employer isn’t directly asking about a current medical condition, but rather an employee’s potential infection with the disease and related travel. If someone IS infected, the ADA’s “direct threat” rule allows employers to ask if that employee has coronavirus. The reason for this is because that employee, by definition, poses a direct threat to co-workers and others in the workplace. Employers may also ask people with symptoms to seek medical attention and get tested for COVID-19. Finally, employers can ask an employee with symptoms if the person has tested positive.