Prioritize Patient Privacy, Even During Emergencies
Make sure your physician office doesn’t lose sight of the HIPAA Privacy Rule during a public health emergency.
Patient health privacy matters, even during an epidemic or pandemic. At the onset of the public health emergency (PHE) for COVID-19, doctor’s oﬃces, as covered entities (CEs), were told they must abide by the HIPAA Security and Privacy Rules.
“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information,” the Oﬃce for Civil Rights (OCR) states in a COVID-19 fact sheet.
With the novel coronavirus dominating the news, the government issued updated guidance on the HIPAA Privacy Rule. The update advised on the best way to thwart the virus while protecting patients’ privacy.
In addition to the declaration, OCR also issued a bulletin oﬀering new insight on the virus, which clariﬁed people’s rights and protected health information (PHI), as well as the rules that govern CEs during a PHE.
HIPAA still applies to CEs and their business associates even during a PHE, and both must continue to safeguard patients’ privacy the best they can. But the OCR has eased up on certain Privacy Rule and Security Rule provisions these past months.
Check These PHI Disclosure Essentials
If a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains an OCR bulletin. Here’s a short checklist and the parts of the HIPAA Privacy Rule where you can ﬁnd the in-depth explanation, according to OCR guidance:
Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a diﬀerent patient (45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the deﬁnition of “treatment” at 164.501).
Public health activities: There are three groups with whom CEs can share PHI during a PHE without authorization:
- Public health authorities, such as the Centers for Disease Control and Prevention (CDC) or state or local health departments, to prevent or manage disease, injury, or disability (45 CFR §§ 164.501 and 164.512(b)(1)(i)).
- Foreign governments at the direction of a public health authority, working with the authority (45 CFR 164.512(b) (1)(i)).
- People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations (45 CFR 164.512(b)(1)(iv)).
Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re involved in the patient’s care or need to be located, identiﬁed, or notiﬁed about location, condition, or death (45 CFR 164.510(b)).
Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization, such as the Red Cross, to ensure public safety.
Imminent threat: As long as state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats (45 CFR 164.512(j)).
HIPAA and COVID-19
The OCR has issued additional guidance specific to the PHE for COVID-19 this year, most of which ease certain HIPAA provisions:
March 17: The OCR will waive potential penalties for HIPAA violations against healthcare providers that serve patients through everyday communications technologies during the COVID-19 PHE. (effective March 17)
March 20: The OCR will not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth. (effective March 20)
March 24: CEs may disclose PHI, such as the name or other identifying information about individuals, without their HIPAA authorization to ensure first responders can provide necessary treatment. (ongoing)
March 28: OCR reminds CEs of their obligation to not discriminate on the basis of race, color, national origin, disability, age, sex, or religion. (ongoing)
April 2: The OCR extends HIPAA flexibilities to CEs’ business associates for the good faith uses and disclosures of PHI for public health and health oversight activities during the COVID-19 PHE. (effective April 2)
April 9: The OCR extends HIPAA flexibilities granted to CEs and business associates to community-based testing sites. (effective March 13)
May 5: CEs that they may not give media and film crews access to facilities where patients’ PHI is accessible without the patients’ prior authorization. (ongoing)
June 12: CEs may identify and contact patients who have recovered from COVID-19 for population-based activities relating to improving health, case management, or care coordination. The guidance emphasizes that “without patients’ authorization, the providers cannot receive any payment from or on behalf of a blood and plasma donation center in exchange for such communications with recovered patients.” (ongoing)
Aug. 24: Health plans are added to the list of those entities permitted to contact patients who have recovered from COVID-19 for population-based activities relating to improving health, case management, or care coordination. Compensation is not permitted. (ongoing)
As the COVID-19 PHE continues, practice managers will need to stay vigilant of these changes and be prepared to reinforce the more stringent rules once the PHE declaration expires.
HHS OCR Announcements related to COVID-19: www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html