HIPAA: OCR Clarifies Rules for Sharing Coronavirus Patient Medical Information During Current Health Emergency

The usual HIPAA Privacy restrictions on collecting, using and disclosing personal health information (PHI) are relaxed during public health emergencies. With this in mind, the Office for Civil Rights (OCR), the HHS agency charged with enforcing the HIPAA rules, issued guidance to clarify the privacy rules that labs and other HIPAA covered entities (which, for simplicity’s sake, we’ll refer to collectively as “labs” unless the context requires otherwise) must follow during the coronavirus outbreak. Here’s a quick overview of the key points: Sharing Patient Information The HIPAA Privacy Rule requirement that labs not disclose a patient’s PHI without the patient’s authorization is subject to exceptions, including disclosure necessary to treat the patient or another patient. Treatment, the guidance explains, includes coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment. Disclosure for Public Health Activities You don’t need authorization to disclose PHI to for legitimate purposes connected to public health and safety, including disclosure:

• To federal, state or local health departments or other public health authorities for the purpose of preventing or controlling disease, e.g., reporting cases of patients exposed to, suspected of or confirmed as having coronavirus;
• At the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority; and
• To persons at risk of contracting or spreading a disease or condition where state or other law authorizes the lab to notify such persons as necessary to prevent or control the spread of the disease.

Disclosures to Individuals Involved in Patient’s Care Labs may share PHI with a patient's family members, relatives, friends or other persons: i. that patients identify as being involved in their care; or, ii. as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition or death, which may include via the police, press or public at large. But the lab should, if possible, get verbal permission or otherwise be able to reasonably infer that the patient doesn’t object. A lab may also share PHI with disaster relief organizations like the American Red Cross, that are legally authorized to assist in disaster relief efforts. Disclosures to Prevent Serious & Imminent Threat Labs may share patient information with anyone as necessary to prevent or reduce a serious and imminent threat to the health and safety of a person or the public, subject to state and other applicable law and ethical standards of conduct. Disclosures to the Media or Others Not Involved in Care With limited exceptions, labs may not disclose PHI about the treatment of an identifiable patient, e.g., lab test results, without the patient’s written authorization. See 45 CFR 164.508 for the requirements for a HIPAA authorization. But if a patient hasn’t objected to or restricted the release of PHI, a covered hospital or other health care facility may, upon request, disclose information about a particular patient by name, may release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). Minimum Necessary For most disclosures, a lab must make reasonable efforts to limit the information disclosed to the “minimum necessary” to accomplish the purpose. (Exception: Minimum necessary requirements don’t apply to disclosures to health care providers for treatment purposes.) Labs may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, as long as that reliance is reasonable under the circumstances. For example, a lab may rely on representations from the CDC that the PHI requested about all patients exposed to or suspected or confirmed to have coronavirus is the minimum necessary for the public health purpose. Safeguarding Patient Information In an emergency situation, labs must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Labs (and their business associates) must also implement the administrative, physical and technical safeguards required by the HIPAA Security Rule for electronic PHI.