HIPAA Requirements and the Coronavirus

By Kyle J. Haubrich of Sandberg Phoenix Law Firm

It is important for medical practices, hospitals, clinics, and other healthcare professionals to know and understand that just because the Coronavirus has caused a national emergency and everything seems to be in chaos right now, medical practices must still comply with HIPAA’s Privacy Rule requirements.  However, HHS (the Department of Health and Human Services) has lifted some requirements, and waived others altogether.  In an effort to help medical practices understand which requirements are waived, and which requirements must still be observed, we are offering the following guidance.

Sharing Patient Information

When sharing a patient’s protected medical information, your practice must continue to maintain strict adherence to HIPAA, just like you would during normal circumstances.  You can disclose a patient’s protected health information, during this Coronavirus National Emergency, for several instances.  Those instances include (1) Treatment; (2) Public Health Activities; (3) Disclosure to Family, Friends, and Others involved in the patient’s care; (4) Disclosure to Prevent a serious and Imminent Threat; and (5) Disclosures to the Media.  As all these things have specific requirements that must be met in order to use or disclose a patient’s medical information during this national emergency, the requirements are discussed below.

Treatment.  Under the Privacy Rule, a physician may disclose, without a patient’s authorization, as necessary, to treat them or to treat someone else. HIPAA defines treatment as “the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.” See 45 CFR §164.501.  Therefore, if you have a patient that enters your office with symptoms that look as though they might have the Coronavirus, you can still disclose the patient’s medical information to other physicians that you refer the patient to, so that the patient can be tested, and if necessary, treated, for the Coronavirus.

Public Health Activities.  If there was ever a time where this HIPAA regulation was needed, it is now.  HIPAA’s Privacy Rule allows for “the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to [protect the public].” Thus, the Privacy Rule allows physicians to disclose needed health information of the patient, without the patient’s authorization:

  • To a public health authority, such as the Centers for Disease Control (CDC), or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, you are allowed to disclose to the CDC protected health information of your patients on an ongoing basis, or as needed, to help the CDC know and understand the extent to which the Coronavirus has or is spreading.”
  • To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes you to notify such persons as necessary to prevent or control the spread of the disease. See 45 CFR 164.512(b)(1)(iv). For example, if a patient comes into your office showing symptoms of the Coronavirus, and after tests are completed it is determined that the patient has the Coronavirus, you would be allowed under HIPAA to disclose that information to any person or persons who may be at risk because that patient tested positive for the virus, i.e., family, friends, co-workers, or anyone else the patient may have come in contact with.  This can be done without the patient’s authorization; must may not be done publicly.  The best practice is to inform anyone that may be at risk, privately, to protect, as much as possible, the patient’s protected health information.

Disclosures to Family, Friends, and Others Involved in a Patient’s Care. A medical provider, such as a physician, physician assistant, nurse practitioner, or other healthcare professional, may share medical information about a patient with their family members, relatives, friends, or other persons identified by them as involved their care.

  • You must still get verbal permission from the patient, or reasonably infer that the patient does not object, if possible. This is done by exercising your professional medical judgement that by disclosing this information to family, friends, and others involved in the patient’s care, that disclosing this information would or could prevent the spread of the disease and thus protect them and/or the patient.
  • In addition, you may share a patient’s protected health information with disaster relief organizations, like the American Red Cross, or with authorities like the CDC, who are authorized by law to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to an emergency like the Coronavirus. It is your responsibility to use your professional medical judgement in this situation to determine if disclosing a patient’s protected medical information to one of these disaster relief organizations, or national, state, or local authorities, would aid in the prevention of the disease.

Disclosures to Prevent a Serious and Imminent Threat. You may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j).  Again, if you feel that by disclosing the patient’s medical information that they have the Coronavirus would aid in the prevention or lessening of the serious threat it poses to the public, then you would be allowed to do so.  However, you can disclose this information without releasing the patient’s name, address, date of birth, etc., to keep the patient from potentially getting stigmatized.  Common sense, and medical judgement, are what is important to exercise in this case. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to public health and safety. See 45 CFR 164.512(j).

Disclosures to the Media. In general, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization, or the written authorization of a personal representative of the patient. See 45 CFR 164.508.  The reasons for this are many; however, the need for general information is necessary to help protect the public.  For example, if John Doe comes into your practice and shows symptoms of the Coronavirus and you have him tested and the test shows he has the virus, your requirements under HIPAA would be to inform the media as follows:

“This morning we had a patient present with symptoms of the Coronavirus.  Our office had this patient immediately obtain testing to rule out the virus.  After the tests were completed, it showed that the patient did in fact have the Coronavirus.  Our office is in the process of notifying anyone that may have encountered the patient during the last few days of the positive test result so that they can obtain testing on their own as well.  Per HIPAA requirements, we are unable to disclose the name of the patient that tested positive but have disclosed all necessary information to the CDC and other state and local authorities allowed to have such information.”

Remember, while we would all like to know who has, or does not have, the Coronavirus, all patients have HIPAA rights that still need to be enforced and respected.  Keeping the information general, so that the patient cannot specifically be identified, will allow the public to know of additional Coronavirus cases, without subjecting the patient to potential discrimination, stigmatism, or other unfortunate circumstances.

Minimum Necessary. For most disclosures, you or your practice must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose.  For Example, as outlined above, if John Doe comes into your practice showing symptoms of the Coronavirus, you test him for the virus and he tests positive, the most you can say to the public is the generic statement above.  You may not, under any circumstances, disclose the patient’s name, address, date of birth, or any other identifiable information of the patient.

However, when disclosing to a public health authority, or other public official, this information may be more specific, as the Minimum Necessary Standard does not apply to them.  For example, if the CDC were to ask you for the patient’s name, address, and other protected information of the patient, you would be allowed to disclose to them all the information they are requesting, as the CDC is required to comply with HIPAA’s requirements, just as you are.

Another area you need to remain focused on is keeping your staff from snooping during this Coronavirus National Emergency.  HIPAA still requires you to apply your role-based access policies so that your staff doesn’t go snooping into patient’s information that they otherwise would not be allowed to access as part of their job within your practice. See 45 CFR §§ 164.502(b), 164.514(d).  Just because a patient shows up to your practice with Coronavirus symptoms does not mean they have the virus.  Therefore, allowing your staff, if they don’t need access to such information, to access it, would be a HIPAA violation and would subject your practice to fines, penalties, and potentially lawsuits for negligence in protecting the patient’s health information.

Patient Information in an Emergency.

In an emergency, you must continue to implement reasonable safeguards to protect your patients’ information against intentional or unintentional uses and disclosures. Further, you, as well as your business associates, vendors, etc., like an electronic medical record company, must continue to apply the same protections under the Security Rule of HIPAA as you would normally.  The national emergency, declared by President Trump, does not waive these requirements.  Failure to comply would result in fines, penalties, and potentially lawsuits against your practice.

HIPAA Applies Only to Covered Entities and Business Associates.

The HIPAA Privacy Rule, even in this national emergency, only applies to disclosures made by employees, volunteers, and other members of a medical practice, hospital, clinic, or other medical professional’s or business associate’s staff.  Business associates generally are persons or entities that perform functions or activities on behalf of, or provide certain services to, a medical provider that involve creating, receiving, maintaining, or transmitting protected health information.

Business Associates. A business associate of a medical provider (including a business associate that is a subcontractor) may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a medical provider or another business associate to the extent authorized by its business associate agreement.

Therefore, it is important, especially now, to ensure that all business associates, vendors, and anyone else involved in your practice’s day-to-day activities, are complying fully with HIPAA’s requirements.  The last thing anyone wants is for a patient who tests positive for the virus to have the entire public know specifically who they are, as doing so could cause a stigmatism against that patient that would cause more harm than good.

Conclusion

Just because the Coronavirus has caused a national emergency here in the United States, and has caused a pandemic in the world, does not mean that a patient’s HIPAA rights can be ignored.  Your practice must continue to adhere to HIPAA’s requirements, while at the same time allowing you to disclose generic information to the public, as well as information public health authorities and agencies may require in order to combat the virus.  While all of us may be self-quarantining in order to slow and/or prevent the virus from spreading, HIPAA’s requirements are not quarantined and need to continue to be adhered too.   Remember, failure to know exactly how to comply with HIPAA, or trying to do this on your own, could cause fines, violations, penalties, and potentially lawsuits against you and your practice.  Fight the virus, not your compliance with HIPAA.

Kyle J. Haubrich

Sandberg Phoenix Law Firm

St. Louis, MO