Due to the COVID-19 outbreak, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) issued a bulletin https://www.hhs.gov/sites/default/files/february-2020- hipaa-and-novel-coronavirus.pdf to ensure that HIPAA covered entities and their business associates are aware of the ways that protected health information (“PHI”) may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, such as the one we are currently experiencing.It is also intended to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. OCR has also announced that it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against covered entities or their business associates for the good faith uses and disclosures of PHI for public health and health oversight activities during the COVID-19 nationwide public health emergency https://www.hhs.gov/about/news/2020/04/02/ocr-announces-notification-ofenforcement-discretion.html. The HIPAA Privacy Rule protects the privacy of PHI but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat an individual, to protect the nation’s public health, and for other critical purposes. The below Q&As are intended to provide general information on how to maintain this balance:
Does disclosure of the COVID-19 coronavirus outweigh HIPAA privacy rules?
No, covered entities and business associates must still comply with the protections required by HIPAA. The uses and disclosures of this information must comply with HIPAA allowed uses and disclosures. This is especially important if individuals are working remotely, it is important to remember that PHI must continue to be secured at all times – for example.
If paper documents containing PHI are necessary to perform your job and scanning is not an option, ensure the PHI is transmitted securely (e.g. carry the PHI in a locked briefcase or other secure container), ensuring the container is not left unattended at any time, and securing the PHI when not in use.
All work should continue to be accessed and processed through secure networks (e.g. do not email PHI to your personal email address or save PHI to your personal computer).
May PHI be shared with public health authorities?
Yes. In general, when there is a legitimate need to share information with public health authorities and others responsible for ensuring public health and safety, a Covered Entity may be asked to share PHI to enable them to carry out their public health responsibilities. This may arise with the current outbreak of COVID-19. Disclosures must comply with the minimum necessary requirements, releasing only the information necessary for the purpose at hand. For example, covered entities and/or business associates may share information as necessary with the Centers of Disease Control and Prevention (“CDC”), as well as health departments authorized by law to receive such information, to prevent or control disease or injury. These type of requests should be handled by the Plan’s Privacy Officer and Legal Counsel.
In what circumstances can exposure to COVID-19 coronavirus be disclosed?
HIPAA allows the disclosure of PHI in several circumstances, including for treatment, payment and healthcare operations and pursuant to a HIPAA Authorization. In addition, there are certain other circumstances in which the release of PHI can be made without a HIPAA Authorization. Situations that may be relevant to the COVID-19 pandemic may include the following:
To Public Health Authorities, such as the CDC or state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. For example, a covered entity or a business associate, on behalf of a covered entity, may be required to disclose to the CDC PHI on an ongoing basis as needed to report all prior and prospective cases of individuals exposed to or suspected or confirmed to have COVID- 19.
To individuals at risk of contracting or spreading disease or condition. The disclosure may be made if other laws, such as state law, authorize the Fund to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
To family, friends and others involved in an individual’s care. Disclosure may be made to a patient’s family members, relatives, friends or other persons identified by the patient as involved in the patient’s care. Before doing so, verbal permission must be obtained from the individual or otherwise be able to reasonably infer that the individual does not object. If the individual is incapacitated or not available, the information may be shared for these purposes if, in the professional judgement, doing so is in the individual’s best interest.
To prevent a serious and imminent threat, consistent with applicable law and standards of ethical conduct, PHI may be disclosed to persons reasonably able to prevent or lessen the threat, including the target, of a serious and imminent threat to the health or safety of a person or the public, or to law enforcement authorities. PHI used or disclosed must be specific and limited, and based on a good faith belief that disclosure is necessary to avert or lessen the threat.
Zenith American Solutions, Inc. is not offering legal advice. Please consult with the Fund’s legal counsel for legal guidance or legal recommendations.