To address the impact of COVID-19 on patient privacy, the Department of Health and Human Services (HHS) Office of Civil Rights recently issued a bulletin discussing how HIPAA Covered Entities and Business Associates may use or disclose patient information during an outbreak or other emergency situation. This post summarizes relevant authorized uses and disclosures under HIPAA.
Covered Entities may disclose protected health information as necessary to treat the patient or to treat a different patient. The patient’s authorization is NOT required. “Treatment” includes coordinating or managing health care and related services by one or more health care provider(s) and others, consultation between providers, and the referral of patients for treatment.
Example: Dr. Smith tests Patient A for coronavirus. Patient A’s test is positive. Dr. Smith may share that information with Patient A’s other health care providers to coordinate or manage care. Dr. Smith does not need Patient A’s consent to share this information for treatment purposes.
Therefore, if a covered entity has a patient that enters their office with symptoms that look as though they might have the Coronavirus, the covered entity can still disclose the patient’s medical information to other physicians that the practice refers the patient to, so that the patient can be tested, and if necessary, treated, for the Coronavirus.
Public Health Activities
Covered Entities may disclose protected health information to a public health authority (CDC, state/local health department) for the purpose of preventing or controlling disease, injury, or disability. The patient’s authorization is NOT required.
Example: Patient B is tested for coronavirus at Hospital B. Patient B’s test is positive. Hospital may report the positive test (or related vital events like Patient B’s recovery or death) to the CDC or local health department. Hospital does not need Patient B’s consent to share this information.
Covered Entities may disclose protected health information to persons at risk. The patient’s authorization is NOT required.
Example: Patient A comes into the medical office showing symptoms of the Coronavirus, and after tests are completed it is determined that the patient has the Coronavirus. Under HIPAA the Covered Entity would be allowed to disclose that information to any person or persons who may be at risk because that patient tested positive for the virus, i.e., family, friends, co-workers, or anyone else the patient may have come in contact with. This can be done without the patient’s authorization; but may not be done publicly. The best practice is to inform anyone that may be at risk, privately, to protect, as much as possible, the patient’s protected health information.
Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification
Covered Entities may share protected health information with a patient’s family members, relatives, friends, or other people involved in the patient’s care. Covered Entities also may share patient information to identify, locate, and notify family members (or those responsible for the patient’s care), of the patient’s location, general condition, or death. At times, this could include the police, press, or public at large.
For this disclosure, Covered Entities should get the patient’s verbal permission, if possible. If that is not possible (perhaps due to the patient’s incapacity), the Covered Entity should use its professional judgment to determine if sharing the patient’s health information is in the patient’s best interest.
Example: Patient C lives in Nursing Home and is 85 years old, incapacitated, and positive for coronavirus. Nursing Home may determine that it is in Patient C’s best interest to share his health information with Patient C’s adult son. However, Nursing Home should not share unrelated information about the patient’s medical history without permission.
Example: 20 patients in Nursing Home test positive for coronavirus. Nursing Home may share the patients’ health information with the American Red Cross (or other disaster relief organizations) for the purpose of coordinating the notification of family members or others involved in the patients’ care. Information that may be shared should be limited to the patient’s location, general condition, or death. Obtaining the patients’ consent is not necessary if doing so would interfere with Nursing Home’s ability to respond to the emergency.
Disclosures to Prevent a Serious and Imminent Threat
Covered Entities may share protected health information to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, as long as that disclosure is consistent with relevant state law and the provider’s standards of ethical conduct. This permissible disclosure is highly fact-dependent and, therefore, expressly deferential to professional judgment.
Disclosures to Media or Others NOT Involved in the Patient’s Care
Generally, affirmative disclosures to the media or public at large about an identifiable patient (or related information about an identifiable patient, such as test results or details of the patient’s illness), may not be done without the patient’s written authorization (or the written authorization of the patient’s personal representative).
However, where a patient does not specifically object or restrict the release of protected health information, a covered entity may release limited information to (1) acknowledge the individual is a patient, and (2) provide basic information about the patient’s condition (e.g., “the patient is stable,” or “the patient has been treated and released.”).
Example: If Patient A comes into a medical practice and shows symptoms of the Coronavirus and he is tested, and the test shows he has the virus, HIPAA requires the practice, if it so choses, to inform the media as follows:
“This morning we had a patient present with symptoms of the Coronavirus. Our office had this patient immediately obtain testing to rule out the virus. After the tests were completed, it showed that the patient did in fact have the Coronavirus. Our office is in the process of notifying anyone that may have encountered the patient during the last few days of the positive test result so that they can obtain testing on their own as well. Per HIPAA requirements, we are unable to disclose the name of the patient that tested positive but have disclosed all necessary information to the CDC and other state and local authorities allowed to have such information.”
Keeping the information general, so that the patient cannot specifically be identified, will allow the public to know of additional Coronavirus cases, without subjecting the patient to potential discrimination, stigmatism, or other unfortunate circumstances.
HIPAA still applies to Covered Entities and Business Associates during times of national emergency. Providers should continue to implement reasonable safeguards to protect patient information and understand HIPAA-permitted uses and disclosures that apply during national emergencies. The permitted uses and disclosures discussed in this article are highly fact-specific—we recommend Covered Entities and Business Associates seek legal/compliance opinions to cover the unique challenges posed by COVID-19 and other national emergencies.
Sandberg Phoenix and its health care regulatory compliance attorneys stand ready to provide assistance to health care professionals and entities during this unique and challenging time.