Practice Management Alert

Bone up on which parts of the HIPAA Privacy Rule apply during a public health emergency.

“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information,” says Office for Civil Rights (OCR) in a dedicated COVID-19 fact sheet.

With the novel coronavirus dominating the news, the government issued updated guidance on the HIPAA Privacy Rule. The update advises on the best way to thwart the virus while protecting patients’ privacy.

In addition to the declaration, OCR also issued a bulletin offering new insight on the virus, which clarifies people’s rights and protected health information (PHI), as well as the rules that govern CEs during a public health emergency (PHE).

Remember: HIPAA still applies to CEs and their business associates after the feds call a PHE, and both must continue to safeguard patients’ privacy the best they can — whether in the wake of a natural disaster or the grips of disease outbreak.

Check in on These PHI Disclosure Essentials

If a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR bulletin. Here’s a short checklist and the parts of the HIPAA Privacy Rule where you can find the in-depth explanation, according to OCR guidance:

Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient (45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501).

Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include:

1. Public health authorities like the CDC or state or local health departments to prevent or manage disease, injury, or disability (45 CFR §§ 164.501 and 164.512(b)(1)(i)).

2. Foreign governments at the direction of a public health authority, working with the authority (45 CFR 164.512(b) (1)(i)).

3. People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations (45 CFR 164.512(b)(1)(iv)).