The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a US law that protects the privacy of patients' health information. The law applies to “covered entities” such as healthcare providers, clearinghouses, and insurance companies, as well as their “business associates. During the COVID-19 pandemic, the US Department of Health and Human Services (HHS) issued several Notifications of Enforcement Discretion (NEDs) to provide flexibility to covered entities in their response to the pandemic. These NEDs allowed for the disclosure of protected health information (PHI) in specific situations, such as for public health authorities and telehealth services. However, HIPAA does not provide a blanket exemption, and covered entities must still comply with its administrative, physical, and technical safeguards to protect patient information. While HIPAA does not apply to non-healthcare employers, they are still bound by certain laws and regulations, such as the Americans with Disabilities Act, to protect employee health information.
Characteristics | Values |
---|---|
Does HIPAA apply during a pandemic? | Yes, but certain provisions of the HIPAA Privacy Rule can be waived without sanctions or penalties in specific instances, as a pandemic is a national Public Health Emergency. |
What is the HIPAA Privacy Rule? | The HIPAA Privacy Rule protects the security and privacy of peoples’ Personal Health Information (PHI). |
What is PHI? | PHI is patients’ protected health information. |
Can PHI be disclosed without patient authorization? | Yes, in specific cases, such as for treatment purposes, to public authorities, to someone who might have COVID-19, and to family and friends. |
Can PHI be disclosed without patient authorization to the media or public at large? | No, unless the patient has specifically not objected to the release of PHI. |
What is a HIPAA Notification of Enforcement Discretion (NED)? | A commitment by the Office of Civil Rights (OCR) to not enforce certain legal requirements during an emergency. |
What is the Public Health Service Act? | The foundation of the HHS’ legal authority for responding to public emergencies by authorizing the HHS Secretary to take key actions, such as leading all federal public health and medical responses, declaring a public health emergency, assisting states in meeting health emergencies, maintaining the Strategic National Stockpile, and controlling communicable diseases. |
What You'll Learn
- Disclosing PHI without patient authorization to public authorities
- Disclosing PHI without patient authorization to someone who might have COVID-19
- Disclosing PHI without patient authorization to family and friends
- The Privacy Rule and protecting patient health information
- HIPAA Notifications of Enforcement Discretion (NEDs)
Disclosing PHI without patient authorization to public authorities
During the COVID-19 pandemic, the Office of Civil Rights (OCR) has provided guidance on how covered entities and business associates may disclose PHI without patient authorization to public authorities. This guidance is outlined in the four Notifications of Enforcement Discretion (NEDs) issued by the OCR.
According to the guidance, covered entities and business associates may disclose PHI without patient authorization to public health authorities such as local or state health departments, the CDC, or any person or entity granted authority by a public health agency. This is permitted when it is necessary for purposes of controlling the spread of the virus or protecting the public from harm. For example, PHI can be disclosed to notify individuals who may have been exposed to COVID-19 or are at risk of contracting or spreading it.
Additionally, covered entities and business associates can disclose PHI to public authorities for public health activities, such as preventing or controlling disease, injury, or disability. This includes reporting communicable diseases, child abuse, violent injuries, and other mandatory public health reports.
It's important to note that while HIPAA provides flexibility during a public health emergency, it does not provide a blanket exemption from compliance with applicable regulations. Covered entities must still comply with administrative, physical, and technical safeguards to protect patient information.
Cyberbullying Laws: Do They Protect Adults Too?
You may want to see also
Disclosing PHI without patient authorization to someone who might have COVID-19
Covered entities may disclose PHI to a person who may have been exposed to COVID-19 or may otherwise be at risk of contracting or spreading COVID-19, if other law (such as state law) authorizes the covered entity to notify such a person. In addition, HIPAA permits a covered entity to disclose PHI to a person reasonably able to prevent or lessen a threat, if the covered entity believes in good faith that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Note that good faith is presumed if the belief is based upon the covered entity's actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.
Covered entities must continue to comply with HIPAA and other confidentiality laws during a pandemic. Certain emergency provisions may apply in applicable state and federal regulations. For example, HIPAA permits disclosures to public health authorities and others where it is necessary for purposes of controlling the spread of the virus or to otherwise protect the public from harm. These exceptions permit disclosures that may be in the public good for purposes of addressing the emergency situation. The emergency exceptions do not provide a blanket exemption from assuring compliance with applicable regulations.
The HIPAA Privacy Rule protects the security and privacy of people's Personal Health Information (PHI). When a patient's Personal Health Information is in electronic form, it's called ePHI. The HIPAA Privacy Rule provides the standards for healthcare companies to completely protect any PHI or ePHI that's collected, processed, transmitted, or stored, and make sure that patients can access it and amend it if it is incorrect or has become corrupted due to identity theft or errors.
Covered entities and their business associates are allowed to disclose PHI if it's necessary to treat the patient or any other patient without a patient's authorization. This includes coordination and management of healthcare services by one or more healthcare providers, consultation between healthcare providers, and referral of patients for treatment.
Anti-Sodomy Laws: Were Lesbians Included or Excluded?
You may want to see also
Disclosing PHI without patient authorization to family and friends
However, covered entities should attempt to obtain verbal permission from patients or reasonably infer that the patient wouldn't object. If the patient is incapacitated or unavailable, covered entities can share PHI if it's in the patient's best interest and consistent with any prior expressed preferences. Patient permission is not required for disclosures to disaster relief organizations for coordinating family, friend, and caretaker notifications if obtaining permission would interfere with the organization's ability to respond to the emergency.
PHI disclosure without patient authorization is also permitted to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. This includes disclosing PHI to anyone in a position to prevent or mitigate the threat, such as family, friends, caregivers, and law enforcement.
Lemon Law and Leased Vehicles: What You Need to Know
You may want to see also
The Privacy Rule and protecting patient health information
The Privacy Rule, part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), establishes a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of HIPAA. The Privacy Rule standards address the use and disclosure of individuals' health information—called "protected health information" (PHI) by organizations subject to the Privacy Rule—called "covered entities". The Privacy Rule also sets standards for individuals' privacy rights to understand and control how their health information is used.
Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties. A major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high-quality health care and to protect the public's health and well-being.
The Privacy Rule permits covered entities to disclose PHI to public health authorities and others where it is necessary for purposes of controlling the spread of the virus or to otherwise protect the public from harm. These exceptions permit disclosures that may be in the public good for purposes of addressing the emergency situation. The emergency exceptions do not provide blanket exemption from assuring compliance with applicable regulations.
Covered entities include health plans, health care clearinghouses, and most health care providers. Business associates generally are persons or entities that are not inside the organization and who perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information.
PHI is any "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. "Individually identifiable health information" is information, including demographic data, that relates to:
- The individual's past, present or future physical or mental health or condition,
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual,
And that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
Covered entities must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment, or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.
Covered entities that fail to comply voluntarily with the standards may be subject to civil money penalties. In addition, certain violations of the Privacy Rule may be subject to criminal prosecution.
Deposit Discrimination: Legal Protection for Your Money
You may want to see also
HIPAA Notifications of Enforcement Discretion (NEDs)
The COVID-19 public health emergency (PHE) declared under Section 319 of the Public Health Service Act, also known as the "319 PHE", has been in effect since January 27, 2020, and has been continuously renewed. The 319 PHE is currently set to expire on May 11, 2023, and with it, four HIPAA Notifications of Enforcement Discretion (NEDs) will also end. NEDs are issued by the Office of Civil Rights (OCR) within the US Department of Health and Human Services (HHS). They represent a commitment by the OCR to not enforce certain legal requirements during an emergency. During the COVID-19 pandemic, these four NEDs have provided important flexibilities and tools for HIPAA covered entities, including local health departments, hospitals, pharmacies, and their partners.
The four NEDs that will end with the termination of the 319 PHE are:
- Telehealth: This NED allows healthcare providers to make good faith use of certain types of telehealth products to remotely deliver care during the 319 PHE. It covers audio-only and combination audio-video telehealth services and applies only to healthcare providers, not all covered entities. It encourages providers to notify patients of privacy risks and to use encryption and other privacy-protecting features.
- Business Associates: This NED allows business associates (BAs) to use and disclose protected health information (PHI) for health oversight and public health activities, even if not described in their existing business associate agreements (BAAs). It applies only to BAs whose BAAs do not already permit them to disclose PHI to public health and health oversight agencies. BAs must notify the covered entity within 10 calendar days of using or disclosing PHI.
- COVID-19 Community-Based Testing Sites (CBTS): This NED applies to covered healthcare providers and their BAs who are participating in the good faith operation of a CBTS, which includes mobile, drive-through, or walk-up sites providing COVID-19 specimen collection or testing services. It encourages the adoption of reasonable safeguards to protect patient privacy and PHI, such as using canopies and other physical barriers.
- Web-Based Scheduling Applications for COVID-19 Vaccination Appointments: This NED addresses the use of online or web-based scheduling applications for the limited purpose of scheduling individual appointments for COVID-19 vaccinations. It applies to covered healthcare providers, including some large pharmacy chains and public health authorities, or their business associates.
Covered entities that have been relying on these four NEDs during the pandemic should plan for the transition when the 319 PHE and the NEDs come to an end. OCR is allowing a 90-day transition period for entities to come into compliance with the HIPAA rules regarding the provision of telehealth.
Coulomb's Law and Magnetism: What's the Connection?
You may want to see also
Frequently asked questions
While HIPAA applies to specified "Covered Entities" (i.e. healthcare providers, clearinghouses, and insurance companies) and their "Business Associates", other employers are still bound by certain requirements to protect sensitive employee health information pursuant to the Americans with Disabilities Act and other applicable guidance.
Yes. Covered entities and business associates may disclose PHI without written authorization to public health authorities such as any local or state health department, the CDC, a foreign government agency that is collaborating with a public health authority, or any person or entity who has been granted authority from or is under contract with a public health agency.
Yes. If state law or any other relevant law permits, covered entities can disclose PHI without written authorization to anyone who may have been exposed to COVID-19 or is at risk of contracting or spreading COVID-19.