Contact Us
Categories
- Workplace Violence
- Assisted Living Facilities
- Department of Health and Human Services' Office of Civil Rights
- Medical Residents
- EMTALA
- FDA
- Reproductive Rights
- Roe v. Wade
- SCOTUS
- Medical Spas
- medical billing
- No Surprises Act
- Mandatory vaccination policies
- Workplace health
- Coronavirus Aid, Relief and Economic Security Act
- Code Enforcement
- Department of Labor ("DOL")
- Employment Law
- FFCRA
- CARES Act
- Nursing Home Reform Act
- Acute Care Beds
- Clinical Support
- Coronavirus
- COVID-19
- Emergency Medical Services
- Emergency Preparedness
- Families First Coronavirus Response Act
- Family and Medical Leave Act (“FMLA”)
- KBML
- medication assisted therapy
- SB 150
- Department of Health and Human Services
- Legislative Developments
- Corporate
- United States Department of Justice ("DOJ")
- Employee Contracts
- Non-Compete Agreement
- Opioid Epidemic
- Sexual Harassment
- Health Resource and Services Administration
- Litigation
- Medical Malpractice
- House Bill 333
- Senate Bill 79
- Locum Tenens
- Physician Prescribing Authority
- Senate Bill 4
- Chronic Pain Management
- HIPAA
- Prescription Drugs
- "Two Midnights Rule"
- 340B Program
- EHR Systems
- Hospice
- ICD-10
- Kentucky minimum wage
- Minimum wage
- Primary Care Physicians ("PCPs")
- Skilled Nursing Facilities (“SNFs”)
- Uncategorized
- Affordable Insurance Exchanges
- Drug Screening
- Electronic Health Records (“EHR")
- Fraud
- Health Care Fraud
- HIPAA Risk Assessment
- KASPER
- Kentucky Board of Medical Licensure
- Kentucky’s Department for Medicaid Services
- Mental Health Care
- Office for Civil Rights ("OCR")
- Physician Assistants
- Qui Tam
- Stark Laws
- Urinalysis
- Accountable Care Organizations (“ACO”)
- Affordable Care Act
- Alternative Payment Models
- Anti-Kickback Statute
- Centers for Medicare & Medicaid Services (“CMS”)
- Certificate of Need ("CON")
- Charitable Hospitals
- Compliance
- Data Breach
- Department of Health and Human Services (HHS)
- Electronic Protected Health Information (ePHI)
- False Claims Act
- Federally Qualified Health Centers (“FQHCs”)
- Fee for Service
- Health Information Technology for Economic and Clinical Health Act (HITECH Act)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Health Professional Shortage Area ("HPSA")
- Hospitals
- HPSA
- HRSA
- Limited Services Clinics
- Medicaid
- Medical Staff By-Laws
- Medically Underserved Area ("MUA")
- Medicare
- Mid-Level Practitioners
- Office of Inspector General of the United States Department of Health and Human Services (OIG)
- Part D
- Patient Protection and Affordable Care Act (“ACA”)
- Pharmacists
- Rural Health Centers (“RHCs”)
- Rural Health Clinic
- Telehealth
- American Telemedicine Association (“ATA”)
- Criminal Division of the Department of Justice (“DOJ”)
- Health Care Fraud Prevention and Enforcement Action Team (“HEAT”)
- Hydrocodone
- Kentucky Board of Nursing
- Kentucky Pharmacists Association
- Qualified Health Care Centers (“FQHC”)
- Telemedicine
- Agreed Order
- APRNs
- Chain and Organization System (“PECOS”)
- Douglas v. Independent Living Center of Southern California
- Drug Enforcement Agency ("DEA")
- Emergency Rooms
- Enrollment
- Hinchy v. Walgreen Co.
- Jimmo v. Sebelius
- Maintenance Standard
- Overpayments
- Re-validation
- United States ex. Rel. Kane v. Continuum Health Partners
- Vitas Innovative Hospice Care
- Webinar
- 2014 Medicare Physician Fee Schedule (“PFS”)
- 501(c)(3)
- All-Payer Claims Database ("APCD")
- Appeal
- Chiropractic services
- Chronic Care Management
- Clinical Laboratory Improvement Amendments of 1988 (“CLIA”)
- Compliance Officer
- Compounding
- CPR
- Dispenser
- Drug Quality and Security Act (“DQSA”)
- Essential Health Benefits
- HealthCare.gov
- House Bill 3204
- ICD-9
- Kentucky Senate Bill 7
- Kindred v. Cherolis
- Long-term care communities
- Medicare Part D
- Minors
- National Drug Code ("NDC")
- New England Compounding Center ("NECC")
- Ophthalmological services
- Outsourcing facility
- Physician Compare website
- Ping v. Beverly Enterprises
- Power of Attorney ("POA")
- Prescriber
- State Health Plan
- Sustainable Growth Rate (“SGR”)
- Texting
- "Plan of Correction"
- Affinity Health Plan
- Arbitration
- Audit
- Cadillac tax
- Centers for Disease Control and Prevention
- Community health needs assessment (“CHNA”)
- Condition of Participation ("CoP")
- Daycare centers
- Decertification
- Denied Claims
- Department of Medicaid Services’ (“DMS”)
- Division of Regulated Child Care
- Doe v. Guthrie Clinic
- EHR vendor
- Employer Group Health Plans
- Employer Mandate
- ERISA
- Fair Labor Standards Act (FLSA)
- False Billings
- Federation of State Medical Boards (“FSMB”)
- Food and Drug Administratio
- Form 4720
- Grace Period
- Health Professional Shortage Areas (“HPSA”)
- Health Reform
- Home Health Prospective Payment System
- Home Medical Equipment Providers
- Hospitalists
- Individual mandate
- Inpatient Care
- Intermediate Sanctions Agreement
- Kentucky Health Benefit Exchange
- Kentucky Medical Practice Act
- Kynect
- Licensed practical nurses (LPN)
- Licensure Requirements
- List of Excluded Individuals and Entities
- LLC v. Sutter
- Long-Term Care Providers ("LTC")
- Low-utilization payment adjustment ("LUPA")
- Meaningful use incentives
- Medicare Administrative Coordinators
- Medicare Benefit Policy Manual
- Medicare Shared Saving Program (MSSP)
- Mobile medical applications ("apps")
- Model Policy for the Appropriate Use of Social Media and Social Networking in Medical Practice (“Model Policy”)
- National Institutes of Health
- Network provider agreement
- Nonprofit hospitals
- Nonroutine medical supplies conversion factor (“NRS”)
- Nurse practitioners (NP)
- Office of the National Coordinator for Health Information Technology (“ONC”)
- Part A
- Part B
- Patient Privacy
- Payors
- Personal Service Entities
- Physician Payments
- Physician Recruitment
- Physician shortages
- Provider Self Disclosure Protocol
- Qualified Health Plan ("QHP")
- Quality reporting
- Registered nurses (RN)
- Residency Programs
- Self-Disclosure Protocol
- Social Media
- Spousal coverage
- Statement of Deficiency ("SOD")
- Trade Association Group Coverage
- Upcoding
- UPS
- “Superuser”
- Advanced Practice Registered Nurses
- Autism/ASD
- Business Associate Agreements
- Business Associates
- Call Coverage
- Compliance Programs
- Critical Access Hospitals (“CAHs”)
- Essential Health Benefits (“EHBs”)
- Genetic Information Nondiscrimination Act ("GINA")
- Group Purchasing Organizations ("GPO")
- House Bill 104
- Kentucky House Bill 159
- Kentucky House Bill 217
- Kentucky Primary Care Centers (“PCCs”)
- Managed Care Organizations (“MCOs”)
- Medicare Audit Improvement Act of 2012
- Patient Autonomy
- Personal Health Information
- Recovery Audit Contractors (“RAC”)
- Senate Bill 39
- Senate Finance Committee Report
- Small Business Health Options Program (“SHOP”)
- State Medicaid Expansion
- Abuse and Waste
- Center for Disease Control
- Consumer Operated and Oriented Plan programs (“CO-OPS”)
- Free Conference Committee Report
- Healthcare Information and Management Systems Society (HIMSS)
- House Bill 1
- House Bill 4
- Kentucky Cabinet for Health and Family Services
- Kentucky Health Care Co-Op
- Kentucky Health Cooperative (“KYHC”)
- Kentucky “Pill Mill Bill”
- Occupational Safety and Health Administration (“OSHA”)
- Pain Management Facilities
- Sunshine Act
- Employee Agreement
- Health Care Fraud and Abuse Control Program
- Health Insurance
- Healthcare Regulation
- Health Care Law
McBrayer Blogs
Healthcare Entities: HIPAA's Privacy Rule Exceptions in Light of COVID-19
While the HIPAA Privacy Rule protects the privacy of patients’ health information (PHI), it is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.
First, it is important to be mindful of just what HIPAA allows in terms of disclosure.
- Treatment: Covered Entities may disclose without a patient’s authorization PHI when it is necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.
- Public Health Activities: The Privacy Rule allows covered entities to disclose needed PHI without a patient’s authorization:
- To a public health authority, including the CDC, a state or local health departments. This includes agencies authorized by law to prevent or control disease. In Kentucky, this includes local health departments that are charged with investigation of COVID-19.
- To monitor and prevent cases of patients exposed to, suspected of, or confirmed to have COVID-19.
- At the direction of a public health authority.
- To persons at risk of contracting or spreading a disease or condition.
- To persons at risk of contracting or spreading a disease or condition when necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations
- Disclosures to Family, Friends, and Others Involved in an Individual’s Care: PHI may be shared with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity may also share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care of the patient’s location, general condition, or death. This may include, where necessary, notification of the family members and others, including the police, the press, or the public at large.
- The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.
- For unconscious or incapacitated patients, a healthcare provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care if the healthcare provider determines, based on professional judgment, that doing so is in the best interests of the patient. For example, a provider may determine that it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally should not share unnecessary information about the patient’s medical history without permission.
- A covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized to assist in disaster relief efforts for the purpose of coordinating the notification of family members or other persons involved in the patient’s care of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.
- Disclosures to Prevent a Serious and Imminent Threat: Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.
- Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification. Except in very limited circumstances, disclosure about a patient’s PHI or COVID-19 status, is not permitted without specific written authorization. Where a patient has not objected to or restricted the release of protected health information, a health care facility may, upon a request to disclose information about a particular patient asked for by name, release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). Covered entities may also disclose information when the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.
Minimum Amount of Information Necessary
Even when disclosure is permitted, HIPAA’s Privacy Rule standards still apply and require only allow the minimum amount of information necessary to be disclosed. Generally, a healthcare provider must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that information requested is the minimum necessary for the purpose when that reliance is reasonable under the circumstances. For example, a covered entity may rely on representations from the CDC or a public health department that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose. In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those employees or staff who need information to carry out their work.
Strong Policies and Training
Because of the intense level of public interest and focus, healthcare providers should aggressively educate individual staff members about their duties to maintain patient health information confidential even when it concerns the COVID-19. Healthcare providers are encountering new and complicated issues about patient care and employee and public safety that should be thoughtfully addressed. Despite 24/7 coverage of the COVID-19, healthcare employees must maintain patient privacy, but they should know who to contact to answer their questions and advise them about new situations. McBrayer’s team is ready to help healthcare providers evaluate these complex questions and address them in a manner consistent with HIPAA as well as public and employee health concerns.
Lisa English Hinkle is a Member of McBrayer law. Ms. Hinkle chairs the healthcare law practice and is located in the firm’s Lexington office. Contact Ms. Hinkle at lhinkle@mcbrayerfirm.com or (859) 231-8780, ext. 1256, or reach out to any of the attorneys at McBrayer.
Services may be performed by others.
This article does not constitute legal advice.