REVCON Virtual is happening soon! Two days dedicated to mastering the revenue  cycle | Register Today!

Prioritize Patient Privacy, Even During Emergencies

Prioritize Patient Privacy, Even During Emergencies

Make sure your physician office doesn’t lose sight of the HIPAA Privacy Rule during a public health emergency.

Patient health privacy matters, even during an epidemic or pandemic. At the onset of the public health emergency (PHE) for COVID-19, doctor’s offices, as covered entities (CEs), were told they must abide by the HIPAA Security and Privacy Rules.

“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information,” the Office for Civil Rights (OCR) states in a COVID-19 fact sheet.

With the novel coronavirus dominating the news, the government issued updated guidance on the HIPAA Privacy Rule. The update advised on the best way to thwart the virus while protecting patients’ privacy.

In addition to the declaration, OCR also issued a bulletin offering new insight on the virus, which clarified people’s rights and protected health information (PHI), as well as the rules that govern CEs during a PHE.

HIPAA still applies to CEs and their business associates even during a PHE, and both must continue to safeguard patients’ privacy the best they can. But the OCR has eased up on certain Privacy Rule and Security Rule provisions these past months.

Check These PHI Disclosure Essentials

If a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains an OCR bulletin. Here’s a short checklist and the parts of the HIPAA Privacy Rule where you can find the in-depth explanation, according to OCR guidance:

Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient (45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501).

Public health activities: There are three groups with whom CEs can share PHI during a PHE without authorization:

  • Public health authorities, such as the Centers for Disease Control and Prevention (CDC) or state or local health departments, to prevent or manage disease, injury, or disability (45 CFR §§ 164.501 and 164.512(b)(1)(i)).
  • Foreign governments at the direction of a public health authority, working with the authority (45 CFR 164.512(b) (1)(i)).
  • People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations (45 CFR 164.512(b)(1)(iv)).

Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re involved in the patient’s care or need to be located, identified, or notified about location, condition, or death (45 CFR 164.510(b)).

Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization, such as the Red Cross, to ensure public safety.

Imminent threat: As long as state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats (45 CFR 164.512(j)).


The OCR has issued additional guidance specific to the PHE for COVID-19 this year, most of which ease certain HIPAA provisions:

March 17: The OCR will waive potential penalties for HIPAA violations against healthcare providers that serve patients through everyday communications technologies during the COVID-19 PHE. (effective March 17)

March 20: The OCR will not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth. (effective March 20)

March 24: CEs may disclose PHI, such as the name or other identifying information about individuals, without their HIPAA authorization to ensure first responders can provide necessary treatment. (ongoing)

March 28: OCR reminds CEs of their obligation to not discriminate on the basis of race, color, national origin, disability, age, sex, or religion. (ongoing)

April 2: The OCR extends HIPAA flexibilities to CEs’ business associates for the good faith uses and disclosures of PHI for public health and health oversight activities during the COVID-19 PHE. (effective April 2)

April 9: The OCR extends HIPAA flexibilities granted to CEs and business associates to community-based testing sites. (effective March 13)

May 5: CEs that they may not give media and film crews access to facilities where patients’ PHI is accessible without the patients’ prior authorization. (ongoing)

June 12: CEs may identify and contact patients who have recovered from COVID-19 for population-based activities relating to improving health, case management, or care coordination. The guidance emphasizes that “without patients’ authorization, the providers cannot receive any payment from or on behalf of a blood and plasma donation center in exchange for such communications with recovered patients.” (ongoing)

Aug. 24: Health plans are added to the list of those entities permitted to contact patients who have recovered from COVID-19 for population-based activities relating to improving health, case management, or care coordination. Compensation is not permitted. (ongoing)

Stay Tuned

As the COVID-19 PHE continues, practice managers will need to stay vigilant of these changes and be prepared to reinforce the more stringent rules once the PHE declaration expires.


HHS OCR Announcements related to COVID-19:

Kristin Webb-Hollering
Latest posts by Kristin Webb-Hollering (see all)

About Has 6 Posts

Kristin J. Webb-Hollering is a development editor at AAPC and writes the popular compliance publications Part B Insider, Medicare Compliance & Reimbursement, Health Information Compliance Alert, and Tech & Innovation in Healthcare. With decades of experience as a writer and editor, she focuses on such hot topics as regulatory reform, MACRA, Medicare billing, federal policy, fraud and enforcement, and HIPAA.

Comments are closed.