Hipaa Laws: Pandemic Exempt Or Not?

do hipaa laws apply during a pandemic

During the COVID-19 pandemic, the US Department of Health and Human Services (HHS) was authorized to waive or modify certain Health Insurance Portability and Accountability Act (HIPAA) requirements. The HHS Secretary could waive or modify HIPAA rules during a public health emergency, which includes significant outbreaks of infectious disease. However, the HIPAA Privacy Rule, which protects patients' health information, was not waived during the pandemic. While certain provisions regarding the disclosure of patients' health information without their written authorization could be waived, healthcare organizations were still required to comply with the administrative, physical, and technical safeguards of the HIPAA Security Rule.

Characteristics Values
Does HIPAA apply during a pandemic? Yes, but certain provisions can be waived in specific instances.
Who does HIPAA apply to? "Covered Entities" and their "Business Associates"
What are "Covered Entities"? Health plans, health care clearinghouses, and most health care providers
What are "Business Associates"? Persons or entities that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information
Can covered entities disclose PHI without patient authorization? Yes, in certain cases, such as for treatment purposes, to public authorities, to someone who might have COVID-19, or to family and friends.
Can covered entities disclose PHI without patient authorization to the media or public at large? No, unless the patient hasn't objected to the release of basic information.
What is a "Notification of Enforcement Discretion" (NED)? A commitment by the Office of Civil Rights (OCR) to not enforce certain legal requirements during an emergency.
How many NEDs were issued during the COVID-19 pandemic? Four
What did the four NEDs during COVID-19 address? Telehealth, business associates' use and disclosure of PHI, COVID-19 community-based testing sites, and web-based scheduling applications for COVID-19 vaccination appointments.
What is the Public Health Service (PHS) Act? The foundation of the HHS' legal authority for responding to public emergencies.
What is the PREP Act? Authorizes the HHS Secretary to issue a declaration providing immunity from liability for claims arising from the use of countermeasures to diseases that pose a public health emergency.

lawshun

Disclosing PHI without patient authorization to public authorities

Disclosing PHI to public authorities without patient authorization is permitted in specific circumstances, as outlined by the HIPAA Privacy Rule and subsequent guidance. This is particularly relevant during a pandemic, such as COVID-19, where public health and safety are at risk.

Firstly, it's important to understand who is considered a public authority in this context. Public authorities include local, state, and federal health departments, the Centers for Disease Control and Prevention (CDC), and foreign government agencies collaborating with public health authorities. Additionally, any person or entity granted authority from, or under contract with, a public health agency is also included.

During the COVID-19 pandemic, the Office of Civil Rights (OCR) acknowledged that disclosing a patient's PHI without their written permission might be necessary to treat them or protect public health. As a result, specific provisions of the HIPAA Privacy Rule were waived regarding the disclosure of PHI without patient authorization. This was due to the declaration of a national Public Health Emergency.

Covered entities and their business associates were allowed to disclose PHI to public authorities without written authorization to prevent or control the spread of COVID-19. This included sharing information with those authorized to collect or receive such data, like public health authorities, and with individuals who were exposed to, at risk of contracting, or could reduce the spread of COVID-19.

In non-pandemic situations, HIPAA permits disclosures to public health authorities and others when necessary to control the spread of infectious diseases or protect the public from harm. This is an exception to the general rule requiring patient authorization for disclosing PHI.

It's worth noting that while HIPAA provides guidance, other state and federal laws may also apply to the disclosure of PHI. These laws, such as those protecting mental health treatment information and substance/alcohol rehabilitation records, often provide stronger confidentiality protections. Therefore, it's essential to be aware of and comply with all relevant regulations when disclosing PHI to public authorities.

lawshun

Disclosing PHI without patient authorization to someone who might have COVID-19

Covered entities, including health plans, health care providers, and health care clearinghouses, can disclose PHI to individuals who may have been exposed to or are at risk of contracting or spreading COVID-19 without patient authorization if permitted by state or other relevant laws. This is permitted to prevent or reduce a serious health threat to the individual or the public. Good faith is presumed if the belief is based on the covered entity's actual knowledge or credible representation by someone with apparent knowledge or authority.

Covered entities must comply with HIPAA and other confidentiality laws during a pandemic. While certain emergency provisions may apply, entities must continue to meet their obligations to protect patient health information and implement reasonable safeguards. The obligation to conduct periodic HIPAA security assessments also continues during an emergency.

Covered entities should be mindful of HIPAA's minimum necessary requirements when making disclosures. They must also be aware of other applicable state and federal laws that may impose additional restrictions on disclosing PHI.

lawshun

Disclosing PHI without patient authorization to family and friends

During the COVID-19 pandemic, the Office of Civil Rights (OCR) has provided guidance on how covered entities and business associates may disclose protected health information (PHI) without a patient's authorization. This is permitted in certain circumstances, including to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.

PHI can be disclosed without patient authorization to family, friends, or other persons involved in the patient's care. This is allowed when it is in the patient's best interest, particularly when trying to notify family members, guardians, or people responsible for the patient about their location, condition, or death. Covered entities should attempt to obtain verbal permission from patients or reasonably infer that the patient wouldn't object. If the patient is incapacitated or unavailable, PHI can still be shared based on professional judgment, but only the necessary and related information should be disclosed.

Additionally, PHI can be disclosed without patient authorization to disaster relief organizations for coordinating family, friend, and caretaker notifications. This is permitted if obtaining authorization would interfere with the organization's ability to respond to the emergency.

lawshun

The HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects patients' protected health information (PHI). This rule applies during the COVID-19 pandemic, but there are some temporary changes and waivers to the rule during this time.

During the COVID-19 pandemic, the Office of Civil Rights (OCR) has waived certain provisions of the HIPAA Privacy Rule regarding the disclosure of patients' PHI without their written authorization. This waiver applies only to covered hospitals that have implemented a disaster protocol and only for up to 72 hours from the time of implementation. The waived provisions include the requirements to honor a patient's request to opt out of a facility directory, to obtain a patient's agreement to speak with others involved in their care, and to distribute privacy notices.

Additionally, during the COVID-19 public health emergency, the OCR has suspended enforcement of HIPAA penalties for providers using non-public facing audio or video methods of communication to facilitate remote communication between providers and patients.

It is important to note that the HIPAA Privacy Rule allows disclosures to public health authorities and others when necessary for controlling the spread of the virus or protecting the public from harm. These exceptions are made for the public good to address the emergency situation, but they do not provide a blanket exemption from compliance with applicable regulations.

lawshun

The Public Health Service Act

During the COVID-19 pandemic, section 42 U.S.C. § 265 was used for Title 42 expulsions. The Act has since been amended several times, including by the Health Insurance Portability and Accountability Act of 1996.

The Act forms the foundation of the Department of Health and Human Services' (HHS) legal authority for responding to public emergencies. It authorises the HHS Secretary to take key actions, such as leading all federal public health and medical responses, declaring a public health emergency, assisting states in meeting health emergencies, maintaining the Strategic National Stockpile, and controlling communicable diseases.

The Act was amended by the Pandemic and All-Hazards Preparedness Act (PAHPA) of 2006 and the Pandemic and All-Hazards Reauthorization Act (PAHPRA) of 2013. Under the Act, the HHS Secretary may determine that a disease presents a public health emergency or that such an emergency otherwise exists. Following a declaration, the Secretary can take several actions, including making grants, entering into contracts, and conducting investigations into the cause, treatment, or prevention of the disease. They can also waive or modify certain Medicare, Medicaid, Children's Health Insurance Program (CHIP), and Health Insurance Portability Accountability Act (HIPAA) requirements.

The PREVENT Pandemics Act, introduced in 2022, aims to prepare for and respond to existing viruses, emerging threats, and pandemics. It proposes to establish a National Task Force on the Response of the United States to the COVID-19 Pandemic to examine and assess the country's preparedness for and response to the pandemic. The Act also proposes amendments to the Public Health Service Act regarding the appointment and authority of the Director of the Centers for Disease Control and Prevention and the establishment of an Office of Pandemic Preparedness and Response Policy.

Frequently asked questions

Yes, HIPAA laws apply during a pandemic. However, certain provisions of the HIPAA Privacy Rule can be waived in specific instances, as a pandemic is considered a national Public Health Emergency.

The HIPAA Privacy Rule protects the security and privacy of people's Personal Health Information (PHI). It provides standards for healthcare companies to protect any PHI or electronic PHI (ePHI) that is collected, processed, transmitted, or stored.

Yes, in certain cases. Covered entities and business associates can disclose PHI without patient authorization to treat the patient or any other patient, as well as to public authorities, individuals who may have been exposed to or are at risk of spreading the disease, and family and friends involved in the patient's care.

Violating HIPAA can result in fines and penalties for covered entities and business associates. However, during a pandemic, the Office for Civil Rights (OCR) may issue Notifications of Enforcement Discretion (NEDs), which are commitments to not enforce certain legal requirements during an emergency.

Yes, in addition to HIPAA, other laws such as the Americans with Disabilities Act and the General Data Protection Regulation (GDPR) may apply to protect employee privacy during a pandemic.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment