In light of the ongoing COVID-19 pandemic and the need for an informed and coordinated public health response, U.S. Secretary of Health and Human Services (HHS) Alex Azar has declared a limited waiver of the following provisions of the HIPAA Privacy Rule. Beginning March 15, 2020, these provisions have been waived:
- Requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care
- Requirement to honor a request to opt out of the facility directory
- Requirement to distribute a notice of privacy practices
- Patient's right to request privacy restrictions
- Patient's right to request confidential communications
This limited waiver is designed to facilitate the disclosure of patients’ protected health information in a number of specific circumstances connected to the ongoing pandemic
This waiver issued by Secretary Azar only applies under limited circumstances and is applicable:
- In the emergency area identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol
- For up to 72 hours from the time the hospital implements its disaster protocol. If the public health emergency declaration is terminated by the President or the Secretary before the end of this 72-hour period, then the hospital must return to compliance with the provisions of the Privacy Rule.
Even without the waiver, the HIPAA Privacy Rule outlines a number of situations that permit a covered entity to disclose limited patient protected health information – at times without the patient’s consent – to individuals and entities other than the patient. Clients should consider reviewing the following list of permitted disclosures under the Privacy Rule in the event that they become relevant as the COVID-19 situation unfolds.
Treatment of Patients
Without the patient’s authorization, covered entities may disclose a patient’s protected health information as necessary for the purpose of the treatment (including the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment) of that patient or another patient.
Public Health Activities
Public health authorities and others responsible for ensuring public health and safety may access protected health information that is necessary to carry out their public health mission, and as such, individual authorization by patients is not required in a number of circumstances:
- Covered entities may disclose patient’s health information to public health authorities such as the CDC or a state or local health department authorized by law to collect or receive such information.
- If a public health authority such as the CDC or a state or local health department directs the covered entity to do so, a covered entity may disclose protected health information to a foreign government agency that is collaborating with the domestic public health authority to address a matter of public health.
- If authorized by state law or a public health authority, a covered entity may disclose protected health information of a patient to persons at risk of contracting or carrying a communicable disease as necessary to prevent the further spread of the disease.
- If authorized by state law or a public health authority, a covered entity may disclose protected health information as necessary to other parties engaged in undertaking public health interventions or investigations.
Disclosures to Family, Friends and Others Involved in an Individual’s Care and for Notification
A covered entity may share a patient’s protected health information:
- With the patient’s family members, friends, or other persons identified by the patient as involved in the patient’s care
- As necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death
- If necessary and in cases of sufficient interest and concern, in an attempt to identify, locate, and notify anyone responsible for a patient by disclosing information to the police, the press, or the public at large
If possible, the covered entity should seek and attain verbal permission from patients or their representatives. If a patient, however, is incapacitated or in some other way unavailable, covered entities may share the patient’s private health information for limited purposes:
- With family, friends, and others involved in the patient’s care if doing so would be in the best interests of the patient, according to patient’s healthcare provider’s professional judgment
- With disaster relief organizations such as the American Red Cross that are authorized by law or by their charters to assist in disaster relief efforts
Disclosures to Prevent or Lessen a Serious and Imminent Threat
HIPAA’s Privacy Rule expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. Consistent with applicable state law and professional standards of professional ethical conduct, healthcare providers may share information with anyone as necessary to avert or mitigate a serious and imminent threat to the health and safety of other individuals.
Disclosures to the Media and Others
Covered entities, according to the rules, should not disclose specific information about the treatment (including, but not limited to, a patient’s test results and specific details of an individual’s condition or illness) of an identifiable patient to the media or other individuals not involved in the patient’s care without the written, HIPAA-compliant authorization of the patient or the patient’s representative, except in such specific circumstances:
- If a patient has not objected to or otherwise restricted the release of their own protected health information and the media or another individual or individuals request information about that particular patient by name, a covered entity may at their discretion acknowledge that the patient is receiving care in the facility, release limited facility directory information, and may provide information about the patient’s condition in broad and general terms such as “critical,” “stable,” “deceased,” or “treated and released.”
- If a patient is incapacitated, covered entities may also disclose information to the media and to other individuals not involved in the patient’s care only if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.
“Minimum Necessary Rule”
Excluding disclosures to healthcare providers for the purposes of treatment of the patient or others, all disclosures of protected health information that are not authorized by the patient are subject to HIPAA’s “minimum necessary” rule – which applies equally to disclosures made under the public health emergency waiver.
- Under the “minimum necessary” rule, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose of the disclosure.
- Internally, covered entities should apply role-based policies limiting the access to patient’s protected health information only to members of the workforce who need the information to perform their duties or whose health and safety may be jeopardized by failure to disclose such information.
- When a patient’s protected health information is requested by a public health authority, covered entities may rely on representations from that authority or another relevant public official that the requested information is the minimum necessary to fulfill the purpose of the request.
Finally, in the COVID-19 & HIPAA Bulletin, the Secretary specifies that a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose.
To obtain more information, please contact the Barnes & Thornburg attorney with whom you work, or Heather Delgado at 312-338-5905 or email@example.com, Laura Seng at 574-237-1129 or firstname.lastname@example.org, or Alexandra Dumezich at 312-214-2105 at email@example.com.
© 2020 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is proprietary and the property of Barnes & Thornburg LLP. It may not be reproduced, in any form, without the express written consent of Barnes & Thornburg LLP.
This Barnes & Thornburg LLP publication should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation.