HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19 and those suspected of exposure to the 2019 Novel Coronavirus, and with whom information can be shared.
HIPAA Compliance and the COVID-19 Coronavirus Pandemic
There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced.
It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.
When public health emergencies are declared, it is common for the Secretary of the HHS to issue partial HIPAA waivers in affected areas. In such cases, certain provisions of the HIPAA Privacy Rule are waived for a period of 72 hours from the moment a HIPAA-covered entity institutes its disaster protocol. As of March 16, 2020, no HIPAA waivers have been declared by the Secretary of the HHS. Even without a HIPAA waiver, the HIPAA Privacy Rule permits responsible uses and disclosures of patients’ PHI.
OCR released a bulletin about the 2019 Novel Coronavirus in February 2020 confirming how patient information may be shared under the HIPAA Privacy Rule during emergency situations, such as the outbreak of an infectious disease, a summary of which is detailed below.
Permitted Uses and Disclosures of PHI in Emergencies
PHI can be disclosed without first receiving authorization from a patient for treatment purposes, including treating the patient or treating other patients. Disclosures are also permitted for coordinating and managing care, for patient referrals, and consultations with other healthcare professionals.
With a disease such as COVID-19, it is essential for public health authorities to be notified as they will need information in order to ensure public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for ensuring the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases, PHI may be shared without obtaining authorization from a patient.
Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to a specific person or the public in general, provided that such disclosures are permitted by other laws. Such disclosures do not require permission from a patient. In such cases, these disclosures are left to the discretion and professional judgement of healthcare professionals about the nature and the severity of the threat.
Disclosures of Information to Individuals Involved in a Patient’s Care
The HIPAA Privacy Rule permits disclosures of PHI to individuals involved in the care of a patient such as friends, family members, caregivers, and other individuals that have been identified by the patient.
HIPAA covered entities are also permitted to share patient information in order to identify, locate, and notify family members, guardians, and other individuals responsible for the patient’s care, about the patient’s location, general condition, or death. That includes sharing information with law enforcement, the press, or even the public at large.
In such cases, verbal permission should be obtained from the patient prior to the disclosure. A healthcare professional must otherwise be able to reasonably infer, using professional judgement, that the patient does not object to a disclosure that is determined to be in the best interest of the patient.
Information may also be shared with disaster relief organizations that are authorized by law or charters to assist in disaster relief efforts, such as for coordinating the notification of family members or other persons involved in the patient’s care about the location of a patient, their status, or death.
The HIPAA Minimum Necessary Standard Applies
Aside from disclosures by healthcare providers for the purpose of providing treatment, the ‘minimum necessary’ standard applies. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.
When information is requested by a public health authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, when that reliance is reasonable under the circumstances.
Disclosures About COVID-19 Patients to the Media
HIPAA does not apply to disclosures by the media about infections, but HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such cases, the HIPAA-covered entity or business associate can provide limited information if a request is made about a patient by name. The information disclosed should be limited to the general condition of the named patient and their location in the facility, provided the disclosure is consistent with the patient’s wishes. The status of the patient should be described in terms such as undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased.
All other information may not be disclosed to the media or any individual not involved in the care of a patient without first obtaining written consent from the patient in question.
Disclosures of Information About COVID-19 by Non-HIPAA Covered Entities
It is worth noting that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. There are no restrictions on disclosures of information about the 2019 Novel Coronavirus and COVID-19 by other entities; however, while HIPAA may not apply, other federal and state laws may do.
HIPAA would therefore not apply when an employee tells an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would apply if an employer is informed about an employee testing positive, if the employer is notified about the positive test by the employer’s health plan.
Further Information on HIPAA Compliance and the COVID-19 Coronavirus Pandemic
In response to this emergency, HIPAA Journal has worked with Compliancy Group to set up a free hotline for any questions you have related to the response to HIPAA compliance during coronavirus crisis: (800) 231-4096
Background Information on the SARS-CoV-2 Pandemic and COVID-19
The 2019 Novel Coronavirus has been named Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) and causes Coronavirus Disease 2019 (COVID-19). The virus was first identified in November and originated in Wuhan, in the Hubei province of China. The Chinese government took steps to control the spread of the virus, but it was not possible to contain, and it spread around globe.
The World Health Organization (WHO) declared the outbreak a public health emergency of international concern on January 30, 2020. Following the WHO declaration, HHS Secretary Alex Azar declared the SARS-CoV-2 outbreak a public health emergency for the United States. WHO declared the outbreak a pandemic on March 11, 2020 and on March 13, 2020, President Trump declared COVID-19 a national emergency.
SARS-CoV-2 is highly infectious, and COVID-19 has a high mortality rate. The mortality rate is difficult to determine many people infected with SARS-CoV-2 only have relatively mild symptoms and do not seek medical help. Testing has been erratic initially in many locations and tests have been in short supply. Based on the limited data available, the mortality rate ranges from less than 1% to 7%. In early March, WHO estimated a mortality rate of 3.4%; however, the data on which these figures are based may be inaccurate and this is an evolving situation.
One of the main factors that has contributed to the rapid spread of SARS-CoV-2 is the long incubation period before symptoms are experienced, during which time infected individuals can spread the virus. It can take up to 14 days before infected individuals start displaying symptoms. The median incubation time is 10 days.
This is a rapidly changing situation that is likely to get considerably worse until the spread of the disease can be curbed. In the absence of a vaccine to provide protection, steps need to be taken by the entire population to limit exposure and prevent the spread of the disease.
There has been significant progress towards a vaccine in a short space of time. Some pharma firms having already developed potential vaccines, but they now need to be tested for safety on humans in clinical trials. Even if the process can be fast tracked, it is unlikely that a vaccine will be available before 2021.
The post HIPAA Compliance and COVID-19 Coronavirus appeared first on HIPAA Journal.