COVID-19 and HIPAA: What You Need To Know
This article is the second in a multi-part series addressing health care questions and issues that have arisen during the Coronavirus Disease (“COVID-19”) outbreak. The first article in the series provided an overview of the emergency measures, enacted by federal and state governments intended to increase the accessibility and affordability of care during the COVID-19 outbreak. This article addresses emergency measures taken by the Office of Civil Rights (“OCR”), the agency that oversees and enforces Health Insurance Portability and Accountability Act (“HIPAA”), in response to the COVID-19 outbreak.
We also provide guidance related to handling and disclosing COVID-19 patient information under such emergency measures and the existing rules of HIPAA. It is important to keep in mind that most states have enacted their own privacy laws that also require consideration and compliance. Should you have additional questions, please contact the Johnson Pope Health Care Team.
1. Are COVID-19 test results protected by HIPAA?
HIPAA’s rules apply to “protected health information.” Protected health information includes information as simple as a patient’s name, and more sensitive information like a patient’s medical history and test results. HIPAA requires that protected health information be safeguarded pursuant to HIPAA’s guidelines. De-identified health information is information that does not identify the patient nor could reasonably be used to identify the patient. HIPAA regulations do not apply to de-identified information. Thus, without patient authorization, a HIPAA covered entity (defined below) cannot disclose that a named individual has known exposure to COVID-19, or that such a patient has tested positive. However, a practitioner can advise the CDC that 10, unidentified patients have tested positive or have known exposure to COVID-19, even if the patient has not authorized the disclosure.
2. Are all health care providers required to comply with HIPAA?
No. HIPAA applies to “covered entities,” which are health plans, health clearinghouses, or health care providers who transmit health information electronically for a variety of purposes, including billing third-party payors.
3. Can a covered entity disclose suspected or confirmed COVID-19 cases to the CDC or state or local agency without patient authorization?
Yes. Patient authorization is not required to disclose protected health information to a public health authority (i.e., CDC, state or local health department, etc.) authorized to receive such information for the purpose of carrying out a public health initiative (i.e., preventing or controlling the spread of COVID-19). It is important to note that such disclosures are exempt from the patient authorization requirement to the minimum extent they are required to carry out a public health authority’s public health mission. A covered entity may reasonably rely on the authority’s statement that the requested information constitutes the minimum information necessary. For example, if the CDC requests the names of all patients with COVID-19 exposure and/or suspected or confirmed COVID-19 diagnoses, coupled with a statement that the information requested is the minimum necessary to prevent the spread of COVID-19, the covered entity may rely on this statement in disclosing the requested patient names.
4. Are disclosures of protected health information to the media permitted without patient authorization?
No. Written patient authorization is required to disclose protected health information to the media. Please note that HIPAA outlines specific requirements that must be included in a compliant written patient authorization. To date, regulators have not provided for an emergency waiver of this requirement to address COVID-19 concerns.
5. Can a covered entity disclose protected health information to prevent and control the spread of COVID-19?
Yes, but only if also authorized by state law in limited circumstances, or only as necessary in order to prevent the spread of COVID-19 to the extent required to prevent serious and imminent harm. The nature and severity of the harm should be determined in good faith using the professional judgment of the health care professional, and the disclosure must be to an individual reasonably able to lessen or prevent the harm. For example, depending on specific circumstances, under this exception, if a patient has a confirmed case of COVID-19 but refuses to self-quarantine, the professional may be permitted to notify the patient’s family members and proper authorities of the patient’s condition without patient consent.
6. Is a covered entity permitted to disclose protected health information related to COVID-19 to a patient’s family member or other individual identified by the patient as having involvement in the patient’s care?
Yes, with the patient’s consent. In this circumstance, HIPAA states that the form of consent can vary depending on the circumstances. For example, consent may be oral or reasonably inferred under the circumstances in lieu of an objection by the patient. Unless absolutely untenable, the safest approach is always to obtain the patient’s written authorization.
7. What type of technology is permissible under HIPAA to render services via telehealth?
The OCR recommends the use of HIPAA compliant vendors (i.e., Skype for Business, Zoom for Healthcare, etc.) for video communications. In general, services rendered via telehealth must comply with HIPAA’s Security Rule. Given the increase in treatment via telehealth during the COVID-19 outbreak, the OCR has relaxed its enforcement of HIPAA’s Security Rule for all covered health care providers. Additional information regarding such enforcement is available in the OCR Notification published on March 17, 2020. The Johnson Pope Health Care Team will focus its next article in this multi-part series on related telehealth considerations.
As a reminder, HIPAA covered entities and business associates must continue to safeguard protected health information and limit access to such information only as necessary. The OCR has issued guidance relaxing enforcement of HIPAA’s privacy rule in a hospital setting in emergency areas during the public health emergency declaration related to COVID-19. However, as of the date of this alert, OCR has not specified whether this exception applies to any other health care providers.