The recent outbreak of the 2019 Novel Coronavirus (“COVID-19”) in the United States has resulted in providers and governmental agencies striving to identify potential cases and contain further transmissions of the virus. Healthcare providers and other covered entities, however, should monitor their evolving obligations to safeguard protected healthcare information (“PHI”) under the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule and any applicable state laws.
HHS Limited Waiver
On March 17, 2020, Department of Health and Human Service Secretary Alex Azar issued a limited waiver for certain disclosures of PHI that would otherwise be subject to sanction under HIPAA and its corresponding regulations. This waiver was implemented pursuant to President Trump’s declaration of a nationwide emergency concerning COVID-19. Specifically, Secretary Azar announced that certain healthcare providers and covered entities that do not comply with the following HIPAA requirements would not be subject to sanction or penalties:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to request confidential communications. See 45 CFR 164.522(b).
The waiver, which became effective on March 15, 2020, only applies to hospitals and health care providers that have instituted disaster protocols, and only for up to 72 hours from the time the hospital implements its disaster protocol. This waiver will no longer apply immediately upon the termination of President Trump’s emergency declaration, at which time health care providers and other covered entities will need to ensure their compliance with HIPAA’s privacy protection.
HIPAA Privacy Rule
Generally, HIPAA’s Privacy Rule applies to Covered entities—health plans, health care clearinghouses, and health care providers who transmit health information electronically—and to Covered entities’ business associates. 45 C.F.R. § 160.102. The Privacy Rule prevents the sharing of PHI except as permitted by certain exceptions. Covered entities may not disclose PHI related to potential COVID-19 diagnoses without first confirming that any such disclosure fits within one of the HIPAA exceptions.
In addition to the HHS waiver, there are a number of potentially relevant HIPAA exceptions that would permit the disclosure of PHI related to the treatment of COVID-19 and the mitigation of its spread.
For example, HIPAA permits covered entities to disclose PHI to a public health authority “that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease . . . .” 45 C.F.R. § 164.512. In the context of COVID-19, this exception allows covered entities to disclose PHI to a legally authorized public health authority charged with preventing or controlling COVID-19 without being subject to sanctions or penalties under HIPAA.
Additionally, HIPAA also permits covered entities to disclose PHI to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease, provided that the entity is authorized by law to notify such a person as necessary in the conduct of a public health intervention or investigation. Id. For the individuals who have tested positive for COVID-19, HIPAA also allows for the disclosure of PHI for the treatment of that patient. 45 C.F.R. § 164.502. Treatment is defined by HIPAA to include providing and coordinating health care and related services, allowing for the possibility of efforts of multiple entities acting in concert to treat the particular patient.
Whatever the grounds for a permissible disclosure, HIPAA generally requires that covered entities disclose the minimum information necessary to achieve the limited purpose for the disclosure. 45 C.F.R. § 164.502. According to recent HHS guidance, covered entities can rely on representations made by the CDC that the specific information requested by the CDC is the “minimum necessary” to achieve the purpose related to the coronavirus and COVID-19.
In addition to HIPAA, healthcare providers and covered entities should also consider more restrictive state laws that may prohibit certain disclosures of protected health information that are otherwise permitted by HIPAA. HIPAA expressly provides that if a more stringent state law prohibits a disclosure that HIPAA would permit, then the more stringent state law applies. Health care providers should therefore consult applicable state laws before making any disclosures that they deem are permitted under HIPAA.
In Rhode Island, for example, the “Confidentiality of Healthcare Information and Communications Act” provides limited exceptions for the disclosure of PHI. Under that provision, disclosures made to public health authorities carrying out their authorized functions related to health and safety are permissible. R.I. Gen. Laws § 5-37.3-4. These authorized functions include, but are not limited to, investigations into the causes of disease, the control of public-health hazards, enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of health professionals and facilities, and review of health care such as that required by the federal government and other governmental agencies. Id.
It is imperative that any healthcare provider or covered entity carefully review both HIPAA and any applicable state laws before making any disclosures of patient healthcare information. Entities that are uncertain of their specific obligations to protect patient healthcare information under state or Federal law should consult legal counsel before disclosing health information related to COVID-19.