Coronavirus and Patient Privacy: How the HIPAA Rules Change During a Public Health Emergency

Coronavirus (COVID-19) has officially been declared a public health emergency. And the usual HIPAA Privacy restrictions on collecting, using and disclosing patients’ personal health information (PHI) without consent are relaxed during public health emergencies. The bottom line: There may be situations where labs can and, in some cases, must take liberties with PHI. Here’s a quick look at what you can and can’t do based on Feb. 3, 2020 guidance from the Office for Civil Rights (OCR), the HHS agency charged with enforcing the HIPAA rules.

The OCR Guidance

HIPAA doesn’t go away during a public health emergency; but the restrictions on sharing PHI do loosen up, at least in certain situations. OCR issued the guidance to clarify the privacy rules that labs and other HIPAA covered entities (which, for simplicity’s sake, we’ll refer to collectively as “labs” unless the context requires otherwise) must follow during the COVID-19 outbreak.

Sharing Patient Information

The HIPAA Privacy Rule requirement that labs not disclose a patient’s PHI without the patient’s authorization is subject to exceptions, including disclosure necessary to treat the patient or another patient. This is true even when there’s no public health emergency. Treatment, the guidance explains, includes coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Disclosure for Public Health Activities

The HIPAA Privacy Rule recognizes the legitimate need for public health authorities to have access to PHI that’s necessary to carry out their public health mission. Accordingly, it allows labs to disclose such PHI without individual authorization

• To federal, state or local health departments or other public health authorities for the purpose of preventing or controlling disease, e.g., reporting cases of patients exposed to, suspected of or confirmed as having COVID-19;
• At the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority; and
• To persons at risk of contracting or spreading a disease or condition where state or other law authorizes the lab to notify such persons as necessary to prevent or control the spread of the disease.

Disclosures to Individuals Involved in Patient’s Care

Labs may share PHI with a patient’s family members, relatives, friends or other persons: i. that patients identify as being involved in their care; or, ii. as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition or death, which may include via the police, press or public at large. But the guidance stresses that the lab should, if possible, get verbal permission or otherwise be able to reasonably infer that the patient doesn’t object. A lab may also share PHI with disaster relief organizations like the American Red Cross, that are legally authorized to assist in disaster relief efforts.

Disclosures to Prevent Serious & Imminent Threat

Labs may share patient information with anyone as necessary to prevent or reduce a serious and imminent threat to the health and safety of a person or the public, subject to state and other applicable law and ethical standards of conduct.

Disclosures to the Media or Others Not Involved in Care

With limited exceptions, labs may not disclose PHI about the treatment of an identifiable patient, e.g., lab test results, without the patient’s written authorization. But if a patient hasn’t objected to or restricted the release of PHI, a covered hospital or other health care facility may, upon request, disclose information about a particular patient by name, may release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released).

Minimum Necessary

For most disclosures, a lab must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose. (Exception: Minimum necessary requirements don’t apply to disclosures to health care providers for treatment purposes.) Labs may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, as long as that reliance is reasonable under the circumstances. For example, a lab may rely on representations from the CDC that the PHI requested about all patients exposed to or suspected or confirmed to have coronavirus is the minimum necessary for the public health purpose. 

Safeguarding Patient Information

In an emergency situation, labs must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Labs (and their business associates) must also implement the administrative, physical and technical safeguards required by the HIPAA Security Rule for electronic PHI.