As employers prepare for possible impacts of the Coronavirus (COVID-19), one important step is to review the types of health disclosures that the Health Insurance Portability and Accountability Act (HIPAA) does and does not allow in such times of crisis.
“Federal privacy laws, such as HIPAA, can create complexities for many plan sponsors as they attempt to weigh the privacy rights of an employee or dependent who has contracted COVID-19 against preserving public safety, including that of the employee’s or dependent’s co-workers, family, and friends,” according to a blog post from Morgan Lewis attorneys Saghi Fattahian and Michelle McCarthy.
A recent bulletin from the U.S. Department of Health and Human Services (HHS) clarified the application of HIPAA’s privacy rules, including their exception for public health-related disclosures, in the Coronavirus context.
“The protections of the Privacy Rule are not set aside during an emergency,” but the rule still allows protected health information (PHI) to be used and disclosed “when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” HHS’s Office for Civil Rights (OCR) explained.
The OCR issued the bulletin “to ensure that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation.” The agency has periodically issued this type of guidance in response to crises such as natural disasters, mass shootings, and the 2014 Ebola outbreak.
“The most important thing to remember is that basic requirements of HIPAA still apply even in a public health emergency,” according to Mintz Levin attorney Kristen Marotta. HIPAA allows covered entities to use and disclose PHI without a patient’s authorization for treatment, payment, and health care operations. However, the existence of a public health emergency “does not mean that covered entities can freely disclose PHI for other purposes,” she noted. “Disclosure of PHI to the media or others not involved in the patient’s care is generally not permissible.”
The latest OCR bulletin discusses the disclosures allowed by HIPAA for treatment, public health activities and “to prevent a serious and imminent threat,” as well as to an individual’s family or friends.
Public health disclosures include those made to the Centers for Disease Control and Prevention or a state or local health department “that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability,” the OCR stated. PHI also may be disclosed at the direction of a domestic or foreign public health authority, or to individuals at risk if authorized by another law.
The disclosures HIPAA permits to family, friends, and others involved in the individual’s care include sharing PHI “as necessary to identify, locate, and notify family members … of the patient’s location, general condition, or death,” the OCR continued. “This may include, where necessary to notify family members and others, the police, the press, or the public at large.”
Otherwise, however, “affirmative reporting to the media or the public at large about an identifiable patient, or disclosure to the public or media of specific information about treatment of an identifiable patient” remains prohibited without his or her written authorization, the OCR noted. And usually, the PHI disclosed must be limited to the minimum necessary, although “covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.”
“As both the financial and practical costs of HIPAA violations can be steep, it is more than worthwhile for covered entities and their business associates to take this reminder from HHS very seriously,” warned Kevin Troutman of Fisher Phillips. “Thus, it is important to ensure compliance with these use and disclosure particulars of the Privacy Rule, even under challenging circumstances.”
This is a good time to reemphasize policies against accessing personal health records without a legitimate purpose, according to Fattahian and McCarthy. “Employers should always be wary of employee snooping, as this poses a significant privacy risk, but none more so than for those employers that are subject to the HIPAA privacy rule,” they stated. “We recommend using the curiosity and media presence surrounding COVID-19 as an opportunity to remind those employees with access to PHI of their responsibilities under HIPAA.”
| David A. Slaughter, JD, is a Senior Legal Content Specialist. He focuses on providing, editing, and updating content related to employee benefits and privacy compliance, including the Thompson HR benefits products. Before coming to BLR, he was an employee benefits compliance editor with Thompson Information Services.
Mr. Slaughter received his law degree from the University of Virginia and his B.A. from Dartmouth College. He is an associate member of the Virginia State Bar.Questions? Comments? Contact David at email@example.com for more information on this topic.