July 14, 2020

Volume X, Number 196

July 13, 2020

Subscribe to Latest Legal News and Analysis

HIPAA-Permitted Disclosures on the Frontlines

Over the last several weeks, the Office for Civil Rights (“OCR”) within the Department of Health and Human Services (“HHS”), the agency responsible for HIPAA enforcement, issued a number of bulletins, notices, and similar guidance materials to assist HIPAA covered healthcare providers and entities during the COVID-19 public health emergency. One such notice provided some leniency for healthcare providers utilizing telemedicine technology, indicating that OCR would not enforce against providers attempting (in good faith) to provide telehealth services using technology platforms that may not otherwise meet all HIPAA requirements. The most recent of OCR’s guidance materials was a March 24, 2020 notice reminding those responding to the COVID-19 pandemic that protected health information (“PHI”) can be communicated without a patient’s authorization in responding to the pandemic. 

The HIPAA Privacy Rule permits a covered healthcare provider or entity to disclose the PHI of a person infected with, or exposed to, COVID-19, to law enforcement, first responders like paramedics, and public health authorities (e.g., state and local public health departments) without the individual’s authorization, in certain circumstances. This means that the identity of the person who tested positive, the fact that they tested positive, where person is receiving treatment or self-isolating, how long ago the person was infected and if the person is symptomatic or not, among other relevant details, could be disclosed, subject to HIPAA’s parameters below. OCR’s notice serves as a reminder that while HIPAA’s patient privacy protections apply in a pandemic, those protections should be balanced against countervailing needs to protect first responders and the general public in the face of a pandemic. 

Here are examples of when disclosure of PHI by a covered entity (who will frequently be healthcare providers in the COVID-19 context) is permissible under HIPAA whether or not an individual affected with the virus has consented to sharing of his/her PHI: 

  • When needed to provide treatment: For example, a skilled nursing facility could tell the paramedics transporting a resident to the ER for treatment of symptoms suggesting infection whether or not the individual has tested positive for COVID-19. 

  • When first responders may be at risk of infection: For example, a local or state health department, assuming it was done in accordance with its state’s laws, would be allowed under HIPAA to disclose PHI to a police officer or other first responder who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 

  • When necessary to prevent or lessen a serious and imminent threat to public health and safety: For example, HIPAA would permit a covered entity to disclose PHI to anyone in a position to prevent or lessen the serious or imminent threat to health and safety. This would include personnel whose job is to protect public health and safety, such as police, fire fighters, child welfare workers, and others. This could also include family members of a patient. The standard to be able to make a disclosure in such a case is that the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. HIPAA defers to the professional judgment of healthcare providers in determining the nature and severity of a threat.

  • When required by law and when needed to prevent or control the spread of disease (disclosure to a public health authority) – these are two different exceptions: An example that meets both of these exceptions to needing an individual’s authorization to disclose their PHI under HIPAA is a hospital reporting cases of COVID-19 treated at its facility in accordance with state laws regarding notification to public health officials of suspected cases of infectious disease.

It is possible that a number of these exceptions will overlap and apply at the same time in some circumstances. 

OCR further reminds covered entities that: notwithstanding the unprecedented events in connection with COVID-19, HIPAA still applies. In other words, except when required by law, or for treatment disclosures, a covered entity must still make reasonable efforts to limit the information disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose of the disclosure. Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.

This recent notice from OCR follows up on a February 2020 bulletin addressing these topics as well. OCR’s prior bulletin also highlighted that HIPAA permits a covered entity to share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief, for the purpose of, for example, notifying family or others involved in the patient’s care. A covered entity is not required to obtain patient authorization to share their PHI if doing so would interfere with the disaster relief organization’s ability to respond to the emergency. 

Given the escalation of COVID-19 cases in the U.S. and their spread throughout the country, reminders from OCR are likely to continue. While OCR seems to provide some breathing room for healthcare providers during this current crisis, the regulator has not provided a complete waiver of HIPAA obligations. Further, given that state Attorneys General can also bring HIPAA enforcement actions and many of the necessary (less common) disclosures required during this pandemic intersect with state medical records and communicable disease laws, it is important that healthcare entities continue to act in good faith to protect patient privacy whenever possible while also protecting the broader population and other healthcare employees from further exposure. Looking ahead to consider how an entity’s actions will reflect when the emergency period passes and the dust begins to settle is a good barometer to evaluate the reasonableness and justification for how healthcare providers use and disclose PHI during this unprecedented crisis. 

This is a high-level summary of recent OCR HIPAA-related focus in light of COVID-19, and does not substitute for carefully reviewing OCR’s notice and the HIPAA regulations detailing what is/is not permitted. Please contact Tara Cho or Nadia Aram, the primary authors of this alert, or the Womble Bond Dickinson attorney with whom you normally work, if you have questions about this alert or your organization’s HIPAA compliance.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume X, Number 86

TRENDING LEGAL ANALYSIS


About this Author

Tara Cho CIPP/US CIPP/E Data Security Attorney Womble Bond
Partner

Tara focuses her practice on privacy and data security issues across multiple industries such as technology, retail, e-commerce, and life sciences, with an emphasis on compliance risks and regulatory requirements affecting the healthcare sector. Tara became certified as a legal specialist in Privacy and Information Security Law by the North Carolina State Bar Board of Legal Specialization in 2018 as part of the inaugural class of specialists in this field – one of just 10 attorneys in the state to hold this certification.

She helps clients with all aspects of privacy and data...

919-755-8172
Nadia Aram, Womble Carlyle, Intellectual Property Attorney, technology licensing lawyer, commercial agreements legal counsel, private securities law
Associate

Nadia advises clients in a variety of business transactions involving the use and commercialization of intellectual property and technology. She has experience drafting and negotiating a broad variety of contracts, including technology licenses, services, consulting and other complex commercial agreements to help clients realize the value of their assets day-to-day, and as part of strategic product and technology acquisitions and divestitures. Nadia also practices in the areas of franchise law, and advertising, sweepstakes & promotions law, including advising clients on digital media marketing to minimize the risks of advertising and marketing online.

She started at the firm as a corporate attorney with a focus on mergers and acquisitions and private securities offerings and investments, and brings her knowledge and experience of corporate matters to bear on her current practice and advice to clients on strategic transactions. Relevant industry experience includes: biotechnology, agrochemical, pharmaceutical, software, retail, manufacturing, financial and other services sectors.

919-755-2119
Sandra Louise Weikel Miller Womble Bond Dickinson Healthcare lawyer
Partner

Sandy has helped clients through the heavily regulated and often confusing health law and healthcare litigation landscape for 25 years, and, before practicing law, she worked for more than a decade as a registered nurse, including serving as a Director of Nursing. She represents hospitals, home health agencies, hospitals, long term care facilities and other related health care providers. Sandy’s experience stretches across healthcare spectrum and she represents health care providers in a variety of health law related issues, including federal and state fraud and abuse compliance,...

+1 864.255.5425
Alissa Fleming, Womble Dickinson Law Firm, Charleston, Health Care Law Attorney
Of Counsel

Alissa possesses first-hand knowledge of the healthcare industry as an attorney and registered nurse.  Her legal practice and medical background enable her to advise and represent national, regional and local healthcare providers on a broad and diverse spectrum of legal issues.

She has represented healthcare providers in health law and healthcare litigation throughout the duration of her career.  She regularly represents hospitals, long term care facilities, home health agencies, pharmacies, and professionals in healthcare litigation, regulatory...

843-720-4638