Hipaa Compliance During Covid-19: What You Need To Know

do hipaa laws apply during covid 19

The COVID-19 pandemic has raised several questions about the applicability of HIPAA laws, especially regarding the disclosure of protected health information (PHI). While the HIPAA Privacy Rule, which safeguards patients' PHI, is not waived during the pandemic, certain provisions can be relaxed in specific instances, such as disclosing PHI to treat a patient or protect public health. This is because COVID-19 was declared a national Public Health Emergency, allowing for some flexibility in HIPAA rules for covered entities like hospitals and health departments. However, it's important to note that HIPAA only applies to covered entities and their associates, and any information disclosed outside of this context is not subject to HIPAA.

Characteristics Values
HIPAA Privacy Rule Protects patients' protected health information (PHI)
HIPAA Privacy Rule During COVID-19 Not waived, but certain provisions regarding the disclosure of patients' PHI without their written authorization can be waived without sanctions or penalties
Covered Entities Health plans, health care providers, health care clearinghouses, and business associates
Business Associates Person or entity that carries out activities involving PHI on behalf of or when providing services to a covered entity
Telehealth Remote delivery of care by health care providers, including audio-only and combination audio-video
Telehealth Technology Apple FaceTime, Facebook Messenger Video Chat, Google Hangouts Video, Zoom, and Skype
Telehealth Enforcement Discretion Ended April 11, 2023
COVID-19 Public Health Emergency Declared under Section 319 of the Public Health Service Act; renewed multiple times since January 27, 2020; slated to expire on January 11, 2023
HIPAA Sanctions and Penalties Civil and criminal penalties, including fines and imprisonment

lawshun

Disclosing PHI to the media

During the COVID-19 public health emergency, covered entities and business associates were permitted to disclose PHI without patient authorization to prevent or lessen a serious and imminent threat to health and safety. This included sharing information with family, friends, caregivers, and law enforcement. Additionally, PHI could be disclosed to treat the patient or another patient, coordinate healthcare services, and ensure public health and safety. In cases of infectious disease outbreaks, PHI could be disclosed without written permission to treat patients and protect public health. This included disclosing PHI to public health authorities, such as the CDC or local health departments, and to individuals at risk of contracting or spreading COVID-19, as long as state law authorized the disclosure.

Despite these exceptions, the disclosure of specific and detailed PHI to the media still required written HIPAA authorization from the patient or their legally authorized representative. Basic and general PHI, such as the patient's location in the facility and general condition ("stable" or "critical"), could be shared without authorization if the patient had not objected to being included in the facility directory and if the media requested the information by name. Media crews were also allowed to access areas of medical facilities that were generally accessible to the public without violating HIPAA regulations.

To ensure compliance when disclosing PHI to the media, healthcare organizations should obtain secure patient authorization, follow the minimum necessary rule, train staff on HIPAA compliance, seek legal and compliance guidance for complex requests, establish media response protocols, and ensure secure transmission and storage of PHI.

lawshun

Disclosure to public health authorities

During the COVID-19 pandemic, the U.S. Department of Health and Human Services (HHS) issued guidance on how covered entities may disclose protected health information (PHI) about an individual infected with or exposed to COVID-19 to public health authorities in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.

Covered entities and business associates may disclose PHI without written authorization to public health authorities such as any local or state health department, the CDC, a foreign government agency collaborating with a public health authority, or any person or entity granted authority by or under contract with a public health agency.

Covered entities can disclose PHI without patient authorization to anyone who may have been exposed to COVID-19 or is at risk of contracting or spreading it. They may also disclose PHI to anyone they believe can prevent or reduce a serious health threat to a person or the public by receiving the PHI in question.

HIPAA permits a covered entity to disclose PHI to a public health authority (such as the CDC) or state, tribal, local, and territorial public health departments authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions.

During the COVID-19 pandemic, health oversight agencies and public health authorities have sometimes asked business associates to provide PHI or use PHI (e.g. for data analysis) to support the COVID-19 response. This Notification of Enforcement Discretion (NED) allows business associates to use and disclose PHI for health oversight and public health activities, subject to certain conditions, even if such uses and disclosures are not described in their existing business associate agreements (BAAs).

lawshun

Disclosure to persons at risk

The COVID-19 pandemic has brought about a unique set of challenges for the healthcare industry, particularly regarding patient privacy and the disclosure of protected health information (PHI). Despite the emergency situation, the Health Insurance Portability and Accountability Act (HIPAA) regulations remain in effect, and covered entities must continue to adhere to the HIPAA Privacy Rule. However, during a public health emergency such as the COVID-19 pandemic, certain provisions of the HIPAA Privacy Rule can be waived without penalties in specific instances.

During the COVID-19 pandemic, covered entities can disclose PHI without patient authorization to individuals who are at risk of contracting or spreading COVID-19. This includes disclosing PHI to anyone who might have been exposed to COVID-19 or is at risk of either contracting or spreading the virus. This disclosure is permitted if the covered entity is authorized by state law or any other relevant law to notify necessary individuals to prevent or control the spread of the disease. This waiver of patient authorization is crucial in allowing healthcare providers to take swift and necessary actions to protect public health.

For example, a covered entity, such as a hospital, is permitted to disclose PHI about an individual who has tested positive for COVID-19 to first responders, including paramedics and emergency medical transport personnel. This disclosure is allowed without the patient's authorization if required by law or if the first responder is at risk of infection. By disclosing PHI to first responders, healthcare providers enable them to take extra precautions, use personal protective equipment, and help prevent the spread of the virus.

Additionally, covered entities can disclose PHI to anyone they believe can prevent or reduce a serious and imminent threat to the health and safety of a person or the public by receiving the information. This could include disclosing PHI to family members, friends, caregivers, or law enforcement if doing so is necessary to prevent or lessen the threat. Covered entities must exercise sound professional judgment when making such disclosures and ensure that only the minimum necessary information is disclosed to accomplish the purpose.

lawshun

Disclosure to prevent or lessen a serious threat

The COVID-19 pandemic has brought about a unique set of challenges for healthcare organizations in terms of adhering to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. While the HIPAA Privacy Rule protects the security and privacy of patients' Personal Health Information (PHI), certain provisions of the rule can be waived in specific instances during a national Public Health Emergency like the COVID-19 pandemic.

One such instance is when disclosure of PHI is necessary to prevent or lessen a serious threat to the health or safety of an individual or the public. In these situations, covered entities may disclose PHI without patient authorization to:

  • Public authorities: Local or state health departments, the CDC, foreign government agencies, or any entity under contract with a public health agency.
  • Individuals at risk: Anyone who may have been exposed to, at risk of contracting, or spreading COVID-19.
  • Family and friends: Family members, relatives, friends, or anyone involved in the patient's care.
  • First responders: Police officers, paramedics, emergency medical transport personnel, and other first responders who may be at risk of infection or are necessary for treatment.

It is important to note that covered entities should still make reasonable efforts to limit the PHI disclosed to the minimum amount of information required to accomplish the purpose of the disclosure. Additionally, disclosures should only be made if the covered entity has a good faith belief that the disclosure is necessary, and it is made to a person reasonably able to prevent or lessen the threat.

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) has provided guidance and flexibility to covered entities during the COVID-19 Public Health Emergency, recognizing the need to balance patient privacy with public health and safety.

lawshun

Disclosure to first responders

On March 24, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued guidance to HIPAA-covered entities regarding how they may disclose protected health information (PHI) to first responders without first getting HIPAA authorization from those individuals. This guidance was provided in the form of a Q&A document, which outlined the specific circumstances under which disclosure of PHI without authorization is permitted.

Firstly, the guidance states that disclosure of PHI to first responders without authorization is permitted when it is necessary for treatment purposes. For example, a skilled nursing facility may disclose PHI about a patient with COVID-19 to emergency medical transport personnel providing treatment during transportation to a hospital.

Secondly, disclosure without authorization is permitted when required by law. For instance, covered entities may disclose PHI about an individual who tests positive for COVID-19 in accordance with state laws mandating the reporting of suspected or confirmed infectious disease cases to public health officials.

Thirdly, covered entities may disclose PHI to notify a public health authority to prevent or control the spread of disease. This includes disclosures to public health authorities for purposes of public health surveillance, investigations, and interventions.

Fourthly, covered entities may disclose PHI to first responders when the responders may be at risk of infection. For example, a county health department may disclose PHI to a police officer who may come into contact with a person who tested positive for COVID-19, in order to prevent or control the spread of the virus.

Finally, covered entities may disclose PHI to first responders when necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. This includes disclosures to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting public health and safety.

It is important to note that, in all instances, covered entities should make reasonable attempts to limit the disclosure of PHI to the minimum amount of information required to achieve the purpose of the disclosure.

Frequently asked questions

The HIPAA Privacy Rule protects the security and privacy of peoples’ Personal Health Information (PHI). When a patient’s Personal Health Information is in electronic form, it’s called ePHI.

Yes. Covered entities and business associates are allowed to disclose PHI if it’s necessary to treat the patient — or any other patient — without a patient’s authorization.

Yes. Covered entities and business associates may disclose PHI without written authorization to public health authorities such as any local or state health department, the CDC, a foreign government agency that is collaborating with a public health authority, or any person or entity who has been granted authority from or is under contract with a public health agency.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment