HIPAA: Disclosure of PHI during the COVID-19 Pandemic
By Procopio Partner Robert G. Marasco and Associates Rachael A. Harrington and Julian J.G. Lean
There is perhaps no industry more impacted by the novel coronavirus known as COVID-19 than the health care industry. It’s natural for health care executives to focus on the immediate demands of diagnosis and care of patients and protection of their health care workers. It is worthwhile, however, to pause and recognize that lawmakers and regulators are making decisions that impact the health care industry. Nowhere is that more relevant than changes impacting the Health Insurance Portability and Accountability Act, or HIPAA.
HIPAA guards the privacy of patient’s protected health information (“PHI”). HIPAA safeguards remain in effect during emergencies. However, the Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar has waived penalties for violations of specified HIPAA restrictions. In addition, HIPAA regulations already contain many exemptions to the disclosure of PHI, which may be relevant during an emergency. HHS issued a full statement regarding the above waivers. This statement can be found here.
Section 1135 Waiver:
On January 31, 2020, the Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar announced a nationwide public health emergency exists and has existed since January 27, 2020. Effective March 15, 2020, Secretary Azar used his authority under the Social Security Act Section 1135(b)(7) to waive sanctions and penalties for failure to comply with the following HIPAA provisions:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- The requirement to honor a request to opt out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
This waiver became effective March 15, 2020, and applies only to (1) the areas identified in the declaration of a public health emergency, which in the current case is nationwide, (2) hospitals that have implemented their disaster protocols, and (3) for up to 72 hours after the hospital implements its disaster protocol.
Additionally, access to Medicare telehealth services has been broadened significantly. Telehealth services are traditionally reserved for people in rural areas. However, under this expansion of telehealth services, the guidance is that “for the duration of the COVID-19 Public Health Emergency, Medicare will make payment for professional services furnished to beneficiaries in all areas of the country in all settings.” You can find CMS’s full statement here.
Exemptions to the Disclosure of HIPAA:
In addition to the specific waivers outlined above, HIPAA already contains numerous provisions permitting the disclosure of PHI in specific circumstances. In its announcement, HHS identified a number of these provisions that are particularly relevant during the current crisis. For example:
- Treatment: Covered entities do not need a patient’s authorization to disclose PHI necessary to treat that patient or even to treat a different patient. See 45 CFR § 164.501.
- Public Health Activities: A covered entity may disclose PHI to a “public health authority,” at the direction of a public health authority, and to persons at risk. See 45 CFR § 164.512(b)(1). HHS provided the following example: a covered entity may disclose to the CDC PHI on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19.
- Disclosure to Family, Friends and Others Involved in an Individual’s Care: A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR § 164.510(b).
- Disclosure to Prevent or Lessen a Serious and Imminent Threat: Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR § 164.512(j).
- Disclosure to the Media or Others Not Involved in the Care of the Patient: A covered entity normally can only publicly report PHI with the written authorization of the patient. See 45 CFR § 164.508. If a patient has not objected to or restricted the release of PHI the covered entity may (in response to a request about a particular patient) disclose certain directory information about a patient (i.e., confirmation of location of patient at facility and general condition of patient). The limited directory information may also be disclosed if the patient is incapacitated and the disclosure is believed to be in the best interest of the patient and disclosure is consistent with a prior expressed preference of the patient. See 45 CFR § 164.510(a).
At all times, a covered entity is only permitted to disclose the minimum necessary information to accomplish the purpose of the disclosure.
If you have any questions related to the scope of HIPAA, the waivers announced to address this public health emergency, disclosure of PHI under HIPAA or a 1135 Waiver, you should involve your legal counsel to avoid any improper and unauthorized disclosure.
Robert G. Marasco is the leader of Procopio's Health Care practice group. He aids clients in a wide spectrum of business situations. In the civil context, he acts as an outside general counsel to a variety of businesses advising on various legal and business matters, and also leads the strategic litigation needs of these businesses. In the health care context, Robert advises clients, including independent physician associations, foundation-based physician groups, and other medical practices on health care compliance and fraud and abuse, the Anti-Kickback Statute, the Stark Law, and defends clients against OIG health care audits and False Claims Act matters and governmental investigations. He also advises on compliance with health care privacy laws such as HIPAA and the California CMIA, investigates data privacy compliance, and responds to data breaches. Additionally, Robert has extensive experience representing hospital medical staffs in disciplinary proceedings and is authorized by the CA Society for Healthcare Attorneys to serve as a hearing officer for such matters.
Rachael A. Harrington provides counsel to hospitals, medical staffs, and physician groups with a focus on policy review and development, corrective action, medical staff credentialing and privileging, and judicial review hearings. She provides legal advice to medical staffs on a range of legal issues including industry-specific laws related to state and federal reporting requirements, fair procedure hearing rights, and peer review protections. She further assists medical staffs in regular policy review and bylaw revisions and updates. In addition, Rachael assists in defending hospitals in whistleblower claims and litigation.
Julian J.G. Lean focuses on providing legal counseling and representation in the healthcare field. Julian currently provides legal counsel to hospitals, medical staffs, and physician groups throughout California and represents clients in judicial review hearings and civil lawsuits. As part of his practice, Julian regularly represents medical staffs with issues related to quality improvement, bylaws, policies and procedures, credentialing and privileging, regulatory agency investigations, and peer review. This includes managing issues presented by clients on a day to day basis, providing support for investigations and reviews of practitioners with clinical and behavioral issues, counseling and assisting in the medical staff decision making process, and representing clients throughout the judicial review hearing process. Julian is also experienced in drafting policies and agreements to facilitate regulatory compliance and adopt changes in organizational structure.