Healthcare Law Blog

Healthcare Entities: HIPAA's Privacy Rule Exceptions in Light of COVID-19

While the HIPAA Privacy Rule protects the privacy of patients’ health information (PHI), it is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

First, it is important to be mindful of just what HIPAA allows in terms of disclosure.

1. Treatment: Covered Entities may disclose without a patient’s authorization PHI when it is necessary to treat the patient or to treat a different patient. Treatment includes the coordination or management of health and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.
2. Public Health Activities: The Privacy Rule allows covered entities to disclose needed PHI without a patient’s authorization:
   1. To a public health authority, including the CDC, a state or local health departments. This includes agencies authorized by law to prevent or control disease. In Kentucky, this includes local health departments that are charged with investigation of COVID-19.
   2. To monitor and prevent cases of patients exposed to, suspected of, or confirmed to have COVID-19.
   3. At the direction of a public health authority.
   4. To persons at risk of contracting or spreading a disease or condition.
   5. To persons at risk of contracting or spreading a disease or condition when necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations
3. Disclosures to Family, Friends, and Others Involved in an Individual’s Care: PHI may be shared with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity may also share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care of the patient’s location, general condition, or death. This may include, where necessary, notification of the family members and others, including the police, the press, or the public at large.
   1. The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible.
   2. For unconscious or incapacitated patients, a healthcare provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care if the healthcare provider determines, based on professional judgment, that doing so is in the best interests of the patient. For example, a provider may determine that it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally should not share unnecessary information about the patient’s medical history without permission. 
   3. A covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized to assist in disaster relief efforts for the purpose of coordinating the notification of family members or other persons involved in the patient’s care of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency. 
4. Disclosures to Prevent a Serious and Imminent Threat: Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. 
5. Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification.  Except in very limited circumstances, disclosure about a patient’s PHI or COVID-19 status, is not permitted without specific written authorization.  Where a patient has not objected to or restricted the release of protected health information, a health care facility may, upon a request to disclose information about a particular patient asked for by name, release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). Covered entities may also disclose information when the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.

Minimum Amount of Information Necessary 

Even when disclosure is permitted, HIPAA’s Privacy Rule standards still apply and require only allow the minimum amount of information necessary to be disclosed. Generally, a healthcare provider must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose.  (Minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.)  Covered entities may rely on representations from a public health authority or other public official that information requested is the minimum necessary for the purpose when that reliance is reasonable under the circumstances. For example, a covered entity may rely on representations from the CDC or a public health department that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose.  In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those employees or staff who need information to carry out their work.

Strong Policies and Training 

Because of the intense level of public interest and focus, healthcare providers should aggressively educate individual staff members about their duties to maintain patient health information confidential even when it concerns the COVID-19. Healthcare providers are encountering new and complicated issues about patient care and employee and public safety that should be thoughtfully addressed. Despite 24/7 coverage of the COVID-19, healthcare employees must maintain patient privacy, but they should know who to contact to answer their questions and advise them about new situations.  McBrayer’s team is ready to help healthcare providers evaluate these complex questions and address them in a manner consistent with HIPAA as well as public and employee health concerns.

Lisa English Hinkle is a Member of McBrayer law. Ms. Hinkle chairs the healthcare law practice and is located in the firm’s Lexington office. Contact Ms. Hinkle at lhinkle@mcbrayerfirm.com or (859) 231-8780, ext. 1256, or reach out to any of the attorneys at McBrayer. 

Services may be performed by others.

This article does not constitute legal advice.