Coronavirus and HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) Rules still apply during public health emergencies such as the 2019 Novel Coronavirus (SARS-CoV-2) outbreak. When preventing and dealing with cases of COVID-19, the respiratory disease caused by SARS-CoV-2, HIPAA Rules must be followed. Some healthcare professionals may be unsure about COVID-19 and HIPAA compliance and how the public health emergency declared by HHS Secretary Alex Azar on January 31, 2020 impacts their daily working lives and disclosures of patient information.

In response to the growing number of COVID-19 cases in the United States, the HHS Secretary exercised his right to issue a limited waiver of HIPAA sanctions and penalties for noncompliance with certain aspects of the HIPAA Privacy Rule. The limited HIPAA waiver took effect on March 15, 2020 and applies to locations in the United States and its territories where the COVID-19 public health emergency is in effect. The waiver only applies to hospitals that have implemented their disaster protocol and the waiver applies for 72 hours from the date/time that the disaster protocol was initiated. When either the presidential or secretarial public health emergency terminates, the waiver ceases to apply, even for patients still under the care of hospitals.

The waiver only applies to the following provisions of the HIPAA Privacy Rule:

  • Obtaining a patient’s agreement to speak with their family, friends, or other individuals involved in their care
  • Honoring a patient’s request to opt out of the facility directory
  • Distributing notices of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications

There is no waiver of sanctions and penalties for noncompliance with the HIPAA Security Rule or HIPAA Breach Notification Rule during a public health emergency. Appropriate safeguards must still be put in place to ensure the confidentiality, integrity, and availability of ePHI, data breaches must still be reported, and patients must be notified about security incidents involving their PHI.

SARS-CoV-2, COVID-19 and HIPAA

Even when no HIPAA waiver issued, the HIPAA Privacy Rule permits certain disclosures of patient information without having to first obtain authorization from patients. In all cases, the minimum necessary standard applies. Disclosures should be limited to the minimum necessary information for the purpose for the disclosure to be achieved.

As always, protected health can be disclosed, as necessary, for the purpose of treating a patient or another patient. Disclosures of PHI are permitted when required for the coordination and management of care between healthcare providers and caregivers, as part of consultations with other providers, and for the referral of patients.

PHI can be disclosed for public health activities. PHI can be provided to public health authorities and others involved in ensuring the health and safety of the public, which includes government departments and agencies acting under the authority of the U.S. government, such as the CDC. Disclosures to foreign governments are permitted, if directed to do so by a public health authority. It is also permitted to disclose limited PHI to persons at risk of spreading or contracting COVID-19.

Disclosures are permitted without prior authorization to prevent or lessen a serious or imminent threat. Healthcare providers can share PHI with anyone in a position to reduce or lessen the threat from SARS-CoV-2 to a person or the public, provided the disclosure is consistent with applicable laws. In such cases, healthcare professionals should use their professional judgement.

A healthcare provider can disclose PHI to a patient’s family members, relatives, friends, or other persons who have been identified by the patient as being involved in their care. In such cases, verbal permission should be obtained from the patient prior to the disclosure. If the patient is incapacitated or unconscious, professional judgement should be used to determine if sharing information is in the patient’s best interest and whether they would be likely to object.

Patient information can also be shared with disaster relief organizations, that have been authorized by charter to assist in the disaster relief efforts, for the purpose of coordinating notification of family members and others involved in the care of the patient.

Disclosures to the media are permitted and to others not involved in the patient’s care if a request is received about a patient by name, provided the patient has not objected to the release of their protected health information. In such cases, healthcare providers may release limited faculty directory information and information about the patient’s condition in general terms e.g. stable, critical, deceased.

The HHS has issued a bulletin about Covid-19 and HIPAA, the limited HIPAA waiver, and how the HIPAA Privacy Rule allows reasonable uses and disclosures of patient information during a disease outbreak or other public health emergency. You can view the COVID-19 and HIPAA bulletin on this link.

COVID-19 and Telehealth Services

With the nation told to practice social distancing to prevent the spread of COVID-19, the Trump administration has taken the decision to relax the regulations for telehealth services.

According to a bulletin issued by the HHS’ Office for Civil Rights on Tuesday March 15, 2020, “[OCR] will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

Telehealth platforms can be used if they allow private chats, such as Apple Facetime, Google Hangouts, Facebook Messenger, and Skype, although public-facing platforms such as TikTok and Facebook Live must not be used.

Covered entities are still required to implement reasonable administrative, physical, and technical safeguards to ensure PHI is protected against intentional or unintentional impermissible uses and disclosures.

You can view the OCR announcement about enforcement discretion related to COVID-19 and HIPAA sanctions and penalties on this link.