The recent outbreak of the 2019 Novel Coronavirus (\u201cCOVID-19\u201d) in the United States has resulted in providers and governmental agencies striving to identify potential cases and contain further transmissions of the virus.\u00a0 Health care providers and other covered entities, however, should monitor their evolving obligations to safeguard protected health care information (\u201cPHI\u201d) under the Health Insurance Portability and Accountability Act (\u201cHIPAA\u201d) Privacy Rule and any applicable state laws.<\/p>\n
On March 17, 2020, Department of Health and Human Service Secretary Alex Azar issued a limited waiver for certain disclosures of PHI that would otherwise be subject to sanction under HIPAA and its corresponding regulations.\u00a0 This waiver was implemented pursuant to President Trump\u2019s declaration of a nationwide emergency concerning COVID-19.\u00a0 Specifically, Secretary Azar announced that certain health care providers and covered entities that do not comply with the following HIPAA requirements would not be subject to sanction or penalties:<\/p>\n
The waiver, which became effective on March 15, 2020, only applies to hospitals and health care providers that have instituted disaster protocols, and only for up to 72 hours from the time the hospital implements its disaster protocol.\u00a0 This waiver will no longer apply immediately upon the termination of President Trump\u2019s emergency declaration, at which time health care providers and other covered entities will need to ensure their compliance with HIPAA\u2019s privacy protection.<\/p>\n
Generally, HIPAA\u2019s Privacy Rule applies to Covered entities\u2014health plans, health care clearinghouses, and health care providers who transmit health information electronically\u2014and to Covered entities\u2019 business associates.\u00a0 45 C.F.R. \u00a7\u00a0160.102.\u00a0 The Privacy Rule prevents the sharing of PHI except as permitted by certain exceptions.\u00a0 Covered entities may not disclose PHI related to potential COVID-19 diagnoses without first confirming that any such disclosure fits within one of the HIPAA exceptions.<\/p>\n
In addition to the HHS waiver, there are a number of potentially relevant HIPAA exceptions that would permit the disclosure of PHI related to the treatment of COVID-19 and the mitigation of its spread.<\/p>\n
For example, HIPAA permits covered entities to disclose PHI to a public health authority \u201cthat is authorized by law to collect or receive such information for the purpose of preventing or controlling disease .\u00a0.\u00a0.\u00a0.\u201d\u00a0 45 C.F.R. \u00a7 164.512.\u00a0 In the context of COVID-19, this exception allows covered entities to disclose PHI to a legally authorized public health authority charged with preventing or controlling COVID-19 without being subject to sanctions or penalties under HIPAA.<\/p>\n
Additionally, HIPAA also permits covered entities to disclose PHI to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease, provided that the entity is authorized by law to notify such a person as necessary in the conduct of a public health intervention or investigation.\u00a0 Id.<\/em>\u00a0 For the individuals who have tested positive for COVID-19, HIPAA also allows for the disclosure of PHI for the treatment of that patient.\u00a0 45 C.F.R. \u00a7\u00a0164.502.\u00a0 Treatment is defined by HIPAA to include providing and coordinating health care and related services, allowing for the possibility of efforts of multiple entities acting in concert to treat the particular patient.<\/p>\n Whatever the grounds for a permissible disclosure, HIPAA generally requires that covered entities disclose the minimum information necessary to achieve the limited purpose for the disclosure.\u00a0 45 C.F.R. \u00a7\u00a0164.502.\u00a0 According to recent HHS guidance, covered entities can rely on representations made by the CDC that the specific information requested by the CDC is the \u201cminimum necessary\u201d to achieve the purpose related to the coronavirus and COVID-19.<\/p>\n In addition to HIPAA, health care providers and covered entities should also consider more restrictive state laws that may prohibit certain disclosures of protected health information that are otherwise permitted by HIPAA.\u00a0 HIPAA expressly provides that if a more stringent state law prohibits a disclosure that HIPAA would permit, then the more stringent state law applies.\u00a0 Health care providers should therefore consult applicable state laws before making any disclosures that they deem are permitted under HIPAA.<\/p>\n In Rhode Island, for example, the \u201cConfidentiality of Health care Information and Communications Act\u201d provides limited exceptions for the disclosure of PHI.\u00a0 Under that provision, disclosures made to public health authorities carrying out their authorized functions related to health and safety are permissible.\u00a0 R.I. Gen. Laws \u00a7 5-37.3-4.\u00a0 These authorized functions include, but are not limited to, investigations into the causes of disease, the control of public-health hazards, enforcement of sanitary laws, investigation of reportable diseases, certification and licensure of health professionals and facilities, and review of health care such as that required by the federal government and other governmental agencies.\u00a0 Id<\/em>.<\/p>\n It is imperative that any health care provider or covered entity carefully review both HIPAA and any applicable state laws before making any disclosures of patient health care information.\u00a0 Entities that are uncertain of their specific obligations to protect patient health care information under state or Federal law should consult legal counsel before disclosing health information related to COVID-19.<\/p>\n","protected":false},"excerpt":{"rendered":" The recent outbreak of the 2019 Novel Coronavirus (\u201cCOVID-19\u201d) in the United States has resulted in providers and governmental agencies striving to identify potential cases and contain further transmissions of the virus.\u00a0 Health care providers and other covered entities, however, should monitor…<\/p>\n","protected":false},"author":7,"featured_media":914,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[11,6,9,4,13,14],"tags":[7,8,12,15],"class_list":["post-307","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-health-care-law","category-coronavirus","category-covid-19","category-health-care","category-hippa","category-patient-privacy","tag-coronavirus","tag-covid-19","tag-health-care","tag-patient-privacy"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/posts\/307","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/comments?post=307"}],"version-history":[{"count":0,"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/posts\/307\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/media\/914"}],"wp:attachment":[{"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/media?parent=307"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/categories?post=307"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.apslaw.com\/vital-signs\/wp-json\/wp\/v2\/tags?post=307"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}State Law<\/u><\/h2>\n