When Can You Disclose PHI Without Authorization
When Can You Disclose PHI Without Authorization

A nurse at Clinton County Health Department claims she was recently fired for refusing to disclose the names and addresses of patients that had tested positive for COVID to the Clinton County Sheriff’s Department. The reason the nurse refused to provide the information stemmed from HIPAA law which states that PHI cannot be disclosed outside of treatment, payment, or healthcare operations, without patient authorization. That raises the question, when can you disclose PHI without authorization?

When Can You Disclose PHI Without Authorization? Was the Nurse Correct in Her Actions

Before we discuss whether or not the Nurse was correct to refuse the request, let’s go over what happened. Diane Kuhl, the Nurse in question, received a request from local law enforcement to provide them with a list of the names and addresses for patients that had tested positive for COVID-19. The Clinton County Sheriff’s Department asked Ms. Kuhl to provide the information so that they could relay it to emergency response personnel so that they were aware of the COVID patients that may be living in a house call that they were responding to. However, the policy of the Illinois Department of Public Health states that first responders should act as though every call has the potential to put them in contact with a COVID patient.

When directed to provide the names and addresses of COVID patients to law enforcement, Kuhl refused, and was later fired for doing so. However, Kuhl was correct in her assertions that disclosing the information would be a violation of the HIPAA Privacy Rule, as law enforcement is not a public health authority, and therefore the Privacy Rule waiver in public health emergencies does not apply to them.

She has since filed a lawsuit with the Clinton County Circuit Court against Clinton County Health Department. The lawsuit claims that when the healthcare organization fired Kuhl for refusing to violate HIPAA, they violated the Whistleblower Act, the Illinois Medical Patient Rights Act, and the Nurse Practice Act.

“When an employee refuses to engage in illegal conduct, and they get fired for it, they have a right to file a lawsuit. They have a right to get reinstated in their job, (be reimbursed for) lost wages and benefits, their attorney’s fees and costs. It’s a pretty simple issue. It’s really about the public being able to have confidence that their private information won’t be shared. There’s a serious concern that people won’t go get tested (for the coronavirus) if they’re going to be stigmatized.”

Carl R. Draper, Feldman Wasser law firm in Springfield

When Can You Disclose PHI Without Authorization? Public Health Emergencies

Parts of the HIPAA Privacy Rule are relaxed during a public health emergency, such as the coronavirus pandemic. Covered entities are permitted to disclose PHI without a patient’s written authorization, to public health authorities legally authorized to receive it, for these purposes:

Preventing or controlling disease;

Preventing or controlling injury;

Preventing or controlling disability.

Covered entities may also, if directed to do so by a public health authority, disclose PHI to a foreign government agency acting in collaboration with that authority for those same purposes.

Which Requirements are Waived?

Under the Privacy Rule waiver, the Secretary is waiving sanctions and penalties against a covered entity that does not comply with certain provisions of the HIPAA Privacy Rule. These provisions include:

  1. The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. 
  2. The requirement to honor a request to opt out of a covered entity’s facility directory. 
  3. The requirement to distribute a notice of privacy practices.
  4. The patient’s right to request privacy restrictions. 
  5. The patient’s right to request confidential communications.