This alert was updated on March 16, 2020 to reflect breaking news.
With the ongoing coronavirus disease (COVID-19) outbreak, it is important that businesses understand Health Insurance Portability and Accountability Act of 1996 (HIPAA) provisions relevant to public health disclosures. We’re advising covered entities (and their business associates) on how they may be impacted by public health mandates.
The HIPAA Privacy Rule establishes national standards to protect and safeguard protected health information (PHI), medical records, and other individually identifiable health information used or disclosed by a covered entity in any form. Absent an exception or exemption, a covered entity must generally obtain patient consent or authorization before using or disclosing patient PHI. One exception under HIPAA is for uses and disclosures for public health activities.
Under HIPAA, a covered entity may disclose, without a patient’s authorization, PHI to public health authorities that are authorized by law to receive such information for the purpose of aiding in public health activities. To better understand whether a use or disclosure is allowed under this provision, here are key questions that businesses may consider asking:
What is a covered entity?
HIPAA only applies to covered entities or business associates. A covered entity is a health plan, health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with certain health care transactions.
What is a public health authority?
A public health authority is an agency or authority of the United States (or states, territories, political subdivision of a state, etc.), or a person acting under a grant of authority from or contract with such public agency, that is responsible for public health matters as part of its official mandate.
What are permissible disclosures pertaining to COVID-19?
Generally, a covered entity may disclose PHI for public health activities and purposes to:
- A public health authority authorized by law to collect or receive such information for public health activities.
- A person or persons who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.For example, a state law may authorize a covered entity to notify such persons.
- Anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and the provider’s standards of ethical conduct.
Other potential disclosures may be permissible if the President declares a disaster or emergency under the Stafford Act or National Emergencies Act and the Secretary of the Department of Health and Human Services (Secretary) declares a public health emergency (PHE) pursuant to the Public Health Service Act.
How do PHE declarations affect the HIPAA disclosure requirements?
Although the Secretary's emergency powers are broad in the event of a pandemic that may be declared by an organization such as the World Health Organization (WHO) or the Secretary’s own declaration of an emergency or disaster, those emergency powers are primarily designed to facilitate the provision of health and human services. Such emergency services, however, remain subject to the applicable HIPAA privacy standards in the absence of a Presidential declaration and formal 1135 waiver.
If and when the President issues a declaration of emergency or disaster, the Secretary is then authorized to waive certain HIPAA requirements under section 1135 of the Social Security Act (1135 waivers). Specifically, HIPAA sanctions and penalties may be waived if they relate solely to:
- Obtaining a patient’s agreement to speak to family members or friends or honoring a patient’s request to opt out of a facility directory
- Distributing a notice of privacy practices or
- The patient’s right to request privacy restrictions or confidential communications.
Affected facilities or providers must specifically request a waiver, and the Centers for Medicare & Medicaid Services (CMS) will review and approve the requests on a case-by-case basis. Waivers that are based on hospital disaster protocols are effective for a 72-hour period.
On January 30, 2020, the WHO declared COVID-19 a public health emergency of international concern. On January 31, 2020, the Secretary declared a PHE arising out of COVID-19, which declaration was retroactive to January 27, 2020. On March 13, 2020, the President declared an emergency regarding the COVID-19 outbreak pursuant to the National Emergencies Act. HHS also issued a series of Section 1135 waivers relating to inpatient and long-term care services, durable medical equipment and home health, and certain administrative procedural requirements relating to enrollment and payment appeals. We will continue to monitor any upcoming HIPAA-related Section 1135 waivers from the Secretary.
How much information may be disclosed if the HIPAA requirements are not waived?
Although disclosures may be permissible for public health activities, there are limitations on the amount of PHI that may be disclosed. Generally, disclosure is expected to be limited to the minimum amount of information necessary to accomplish the intended purpose of the disclosure. However, a covered entity may reasonably rely on a requested disclosure as the minimum necessary when the request is made by a public official or agency for public health activities.
What if the data is held by a business associate of the covered entity?
A business associate is a person or entity (other than members of the covered entity’s workforce) that performs functions or activities on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI. A business associate of a covered entity may make disclosures permitted by the HIPAA Privacy Rule, including to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement (BAA). With that in mind, here are some additional tips that covered entities might consider concerning business associates:
- Confirm whether there is an executed BAA in place between the covered entity and business associate, if applicable.
- Confirm that the BAA explicitly establishes the permitted and required uses and disclosures of PHI by the business associate.
By understanding the answers to these key questions, businesses can implement plans to assist with public health initiatives while preventing improper disclosures and protecting affected individuals.
For advice on your responsibilities as a covered entity or a business associate or how to respond to public health mandates, please contact any of the authors.
Please visit our Coronavirus Resource Center and subscribe to our mailing list to receive alerts, webinar invitations and other publications to help you navigate this challenging time.