Health care providers, health plans, and others who are subject to HIPAA are sure to have questions about when they may disclose information about individuals who have contracted, or been exposed to, Coronavirus (COVID-19).
To address these questions, the Office of Civil Rights, U.S. Department of Health and Human Services, issued a bulletin, reminding us that the privacy rules of HIPAA continue to apply in an emergency while identifying when the rules allow for the responsible use and disclosure of protected health information in the case of a serious contagion.
The threshold question may be whether HIPAA applies at all. It is important to remember that HIPAA’s privacy rules extend only to covered entities (health plans, health care clearinghouses, and most health care providers) and their business associates. If an employee notifies his or her employer that that the employee is self-quarantining because he or she has tested positive for the virus, the employer would not be subject to HIPAA’s requirements with regard to that information. But if an employer finds out that an employee has the virus from the employer’s health plan, that information would be subject to HIPAA.
Even if HIPAA does not apply, an entity may consider its requirements as a useful touchstone for how to handle personally identifiable information in difficult situations.
Under HIPAA, an individual’s protected health information (PHI) may be disclosed without the individual’s authorization in various circumstances, including:
- to providers for the treatment of patients;
- to appropriate authorities engaged in public health activities;
- to individuals at risk for contracting or spreading the virus (if permitted by other applicable laws);
- to an individual’s friends and family members involved in the individual’s care (with the individual’s verbal consent or, often, tacit permission);
- to a person in a position to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public (consistent with other applicable laws and standards for ethical conduct).
Thus, information may be disclosed to the Center for Disease Control and to state and local health departments that are collecting information about the spread of the virus, and HIPAA will not prevent reasonable and appropriate action to alert individuals who have been exposed to the virus.
However, covered entities still need to be mindful of HIPAA’s requirements to safeguard PHI from inappropriate uses and disclosures. Covered entities and business associates must continue to take care to use and disclose only the minimum amount of PHI necessary and to verify the identity and, where appropriate, authority of individuals making inquiries. In view of the attention that the virus is receiving, particular care should be taken in communications with the media.
A sound HIPAA analysis does not end the inquiry. The collection, use, and disclosure of information may be limited by other privacy laws and relevant circumstances. Employers, for example, may need to consider the restrictions imposed by the Americans with Disabilities Act. Concerns about the spread of COVID-19 may warrant action that involves personal medical information in various circumstances, but the privacy of affected individuals must still be considered.