HIPAA: Disclosure of PHI during the COVID-19 Pandemic
By Procopio Partner Robert G. Marasco and Associates Rachael A. Harrington and Julian J.G. Lean
There is perhaps no industry more impacted by the novel coronavirus known as COVID-19 than the health care industry. It’s natural for health care executives to focus on the immediate demands of diagnosis and care of patients and protection of their health care workers. It is worthwhile, however, to pause and recognize that lawmakers and regulators are making decisions that impact the health care industry. Nowhere is that more relevant than changes impacting the Health Insurance Portability and Accountability Act, or HIPAA.
HIPAA guards the privacy of patient’s protected health information (“PHI”). HIPAA safeguards remain in effect during emergencies. However, the Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar has waived penalties for violations of specified HIPAA restrictions. In addition, HIPAA regulations already contain many exemptions to the disclosure of PHI, which may be relevant during an emergency. HHS issued a full statement regarding the above waivers. This statement can be found here.
Section 1135 Waiver:
On January 31, 2020, the Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar announced a nationwide public health emergency exists and has existed since January 27, 2020. Effective March 15, 2020, Secretary Azar used his authority under the Social Security Act Section 1135(b)(7) to waive sanctions and penalties for failure to comply with the following HIPAA provisions:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- The requirement to honor a request to opt out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient’s right to request privacy restrictions.
- The patient’s right to request confidential communications.
This waiver became effective March 15, 2020, and applies only to (1) the areas identified in the declaration of a public health emergency, which in the current case is nationwide, (2) hospitals that have implemented their disaster protocols, and (3) for up to 72 hours after the hospital implements its disaster protocol.
Additionally, access to Medicare telehealth services has been broadened significantly. Telehealth services are traditionally reserved for people in rural areas. However, under this expansion of telehealth services, the guidance is that “for the duration of the COVID-19 Public Health Emergency, Medicare will make payment for professional services furnished to beneficiaries in all areas of the country in all settings.” You can find CMS’s full statement here.
Exemptions to the Disclosure of HIPAA:
In addition to the specific waivers outlined above, HIPAA already contains numerous provisions permitting the disclosure of PHI in specific circumstances. In its announcement, HHS identified a number of these provisions that are particularly relevant during the current crisis. For example:
- Treatment: Covered entities do not need a patient’s authorization to disclose PHI necessary to treat that patient or even to treat a different patient. See 45 CFR § 164.501.
- Public Health Activities: A covered entity may disclose PHI to a “public health authority,” at the direction of a public health authority, and to persons at risk. See 45 CFR § 164.512(b)(1). HHS provided the following example: a covered entity may disclose to the CDC PHI on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19.
- Disclosure to Family, Friends and Others Involved in an Individual’s Care: A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR § 164.510(b).
- Disclosure to Prevent or Lessen a Serious and Imminent Threat: Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR § 164.512(j).
- Disclosure to the Media or Others Not Involved in the Care of the Patient: A covered entity normally can only publicly report PHI with the written authorization of the patient. See 45 CFR § 164.508. If a patient has not objected to or restricted the release of PHI the covered entity may (in response to a request about a particular patient) disclose certain directory information about a patient (i.e., confirmation of location of patient at facility and general condition of patient). The limited directory information may also be disclosed if the patient is incapacitated and the disclosure is believed to be in the best interest of the patient and disclosure is consistent with a prior expressed preference of the patient. See 45 CFR § 164.510(a).
At all times, a covered entity is only permitted to disclose the minimum necessary information to accomplish the purpose of the disclosure.
If you have any questions related to the scope of HIPAA, the waivers announced to address this public health emergency, disclosure of PHI under HIPAA or a 1135 Waiver, you should involve your legal counsel to avoid any improper and unauthorized disclosure.