Health Information Compliance Alert

Published on Wed Feb 12, 2020 PDF

Tip: Review your state’s privacy rule under a PHE.

With the novel coronavirus dominating the news, the government issued updated guidance on the HIPAA Privacy Rule. The update advises on the best way to thwart the virus while protecting patients’ privacy.

Background: HHS Secretary Alex Azar declared a public health emergency (PHE) on Jan. 31 for the entire United States in response to the spread and threat of the novel coronavirus. The agency’s announcement followed the World Health Organization (WHO) international PHE rollout on Jan. 30.

“While this virus poses a serious public health threat, the risk to the American public remains low at this time, and we are working to keep this risk low,” Azar said in a release. “We are committed to protecting the health and safety of all Americans, and this public health emergency declaration is the latest in the series of steps the Trump Administration has taken to protect our country.”

The Centers for Disease Control and Prevention (CDC) advises that the details on the 2019 novel coronavirus (2019-nCoV) are “emerging” and “rapidly evolving.” The virus originated in Wuhan City, Hubei Province, China and is spreading quickly across the world. Tens of thousands are infected with the virus in China, and reports suggest that more than 1,000 have died from the disease. There is currently no vaccine for the virus.

Symptoms: According to the CDC, 2019-nCoV “causes respiratory illness in people and can spread from person to person.” Providers can see more CDC advice on identifying symptoms, lab tests, flowcharts, alerts, and treatment options at  www.cdc.gov/coronavirus/2019-nCoV/hcp/index.html.

In addition to the declaration, the HHS Office for Civil Rights (OCR) also issued a bulletin offering new insight on the virus, which clarifies patients’ rights and protected health information (PHI) as well as the rules that govern covered entities (CEs) during a PHE.

Remember: HIPAA still applies to CEs and their business associates after the feds call a PHE, and both must continue to safeguard patients’ privacy the best they can — whether in the wake of a natural disaster or the grips of disease outbreak.

Know These PHI Disclosure Essentials

If a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR bulletin. Here’s a short checklist and the parts of the HIPAA Privacy Rule where you can find the in-depth explanation, according to OCR guidance:

Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient (45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501).

Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include:

1. Public health authorities like the CDC or state or local health departments to prevent or manage disease, injury, or disability (45 CFR §§ 164.501 and 164.512(b)(1)(i)).

2. Foreign governments at the direction of a public health authority, working with the authority (45 CFR 164.512(b)(1)(i)).

3. People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations (45 CFR 164.512(b)(1)(iv)).

Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re part of the patient’s care or need to be located, identified, or notified about location, condition, or death (45 CFR 164.510(b)). Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization like the Red Cross to ensure public safety.

Imminent threat: As long as state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats (45 CFR 164.512(j)).

Although HIPAA permits disclosures of PHI without patient authorization for public health activities and emergencies, you “cannot disregard a patient’s right to privacy in those cases where a patient’s information has been the subject of a public health report,” cautions attorney Laurie Cohen of Nixon Peabody LLP in Albany, New York in a blog posting.

Resource: See more OCR insight on the virus and HIPAA at  www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.