Pulmonology Coding Alert

Question: We diagnosed a patient with coronavirus three days ago. Ever since, her husband has been calling us to ask various questions about her condition. She does not have a HIPAA authorization on file allowing us to disclose her health information with him. Does the pandemic announcement allow us to supersede that?

New York Subscriber

Answer: The answer depends on a variety of factors and may be complicated. Patient health privacy is imperative to secure, even during an epidemic or pandemic. Physicians’ offices, as covered entities (CEs), must abide by the HIPAA Security and Privacy Rules. However, there are some caveats to that during a pandemic.

“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information,” says the Office for Civil Rights (OCR) in a dedicated COVID-19 fact sheet.

With the novel coronavirus (COVID-19) dominating the news, the government issued updated guidance on the HIPAA Privacy Rule. The update advises on the best way to thwart the virus while protecting patients’ privacy.

Remember: HIPAA still applies to CEs and their business associates after the government calls a public health emergency (PHE), and both must continue to safeguard patients’ privacy the best they can. If a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR bulletin. Here’s a short checklist and the parts of the HIPAA Privacy Rule where you can find the in-depth explanation, according to OCR guidance:

Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re part of the patient’s care or need to be located, identified, or notified about location, condition, or death.

Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization like the Red Cross to ensure public safety.

Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include:

1. Public health authorities like the CDC or state or local health departments to prevent or manage disease, injury, or disability

2. Foreign governments at the direction of a public health authority, working with the authority

3. People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations

Imminent threat: If state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats.

Because of all of these caveats to the law, your best bet is to contact an attorney before disclosing the patient’s private health information to anyone.

Resource: See more OCR insight on the virus and HIPAA at www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.