“In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization[.]” (Department of Health and Human Services, commenting on HIPAA’s limitations on disclosing COVID-19 related patient information)

The coronavirus (provisionally named SARS-CoV-2, with its disease being named COVID-19) has now been documented in more than 100 countries and territories. Over 120,000 cases have now been documented across the globe, resulting in more than 4,000 deaths, with cases outside of China tripling in just the past week. In the United States, there have been more than 1,000 reported cases across at least 23 states, resulting in 29 deaths. The coronavirus has impacted domestic and foreign travel, as the Centers for Disease Control and Prevention has issued a Warning - Level 3 (Avoid Nonessential Travel) for travel to China, Iran, South Korea and Italy, and has issued an Alert - Level 2 (Practice Enhanced Precautions) for travel to Japan. In addition, many businesses have imposed restrictions on domestic and foreign employee travel. Twitter, Amazon, Salesforce and Nike, in addition to scores of manufacturers and professional service firms, are among the companies banning certain employee travel due to the coronavirus. Many colleges and universities across the globe, including in the United States, have suspended in-person classes and certain events through various dates into April, urging those on campus to practice appropriate “social distancing” in order to stop or slow down the spread of the coronavirus. 

To remind covered entities of the parameters around disclosing protected health information (PHI) without individual authorization, the Department of Health and Human Services (HHS) has released a Bulletin: HIPAA Privacy and Novel Coronavirus. The Bulletin outlines various ways that PHI related to COVID-19 may be disclosed without patient authorization.

For background, HIPAA and its implementing regulations require that covered entities obtain written individual authorization before using and disclosing PHI, unless an exception applies. HIPAA applies only to covered entities (health plans, most health care providers, and health care clearinghouses) and their business associates. It does not apply to employers using and disclosing information about their employees that are held in employment records (as opposed to the records of the employer’s health plan). That is, an employer is not regulated by HIPAA simply because the employer receives health-related information of an employee, such as that the employee has tested positive for COVID-19. (This information could be governed by other privacy laws, however.)

HIPAA has a number of exceptions to the authorization requirement that may be relevant to covered entities treating patients with COVID-19. Here are some of the most common questions covered entities are asking:

Can we use and disclose PHI for treatment purposes without patient authorization? Yes. Covered entities are permitted to use and disclose PHI for treatment purposes without individual authorization. This includes using and disclosing PHI for treatment of the patient or other patients.

Can we disclose PHI to the CDC or a state or local health department without patient authorization? Yes. HIPAA permits covered entities to disclose PHI without individual authorization to a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease.

Can we notify persons who might have been exposed to COVID-19? Yes, under certain circumstances. Covered entities may disclose PHI to a person who may have been exposed to COVID-19 or may otherwise be at risk of contracting or spreading COVID-19, if other law (such as state law) authorizes the covered entity to notify such person. In addition, HIPAA permits a covered entity to disclose PHI to a person reasonably able to prevent or lessen a threat, if the covered entity believes in good faith that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Note that good faith is presumed if the belief is based upon the covered entity's actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.

Can we provide information to a patient’s family, friends, or other involved in the patient’s care? Generally speaking, HIPAA permits covered entities to disclose information directly relevant to a person’s involvement in a patient’s care if the patient agrees, does not object when presented with an opportunity to object, or the covered entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure. When patients are not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the patient’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient and, if so, disclose only the PHI that is directly relevant to the person's involvement with the patient’s care.

How can we respond if someone calls asking for a patient’s current condition? If someone calls and asks for a patient by name, the covered entity may disclose the patient’s location in the facility and condition described in general terms that does not communicate specific medical information about the patient (e.g., critical or stable, deceased, or treated and released). The covered entity must inform the patient of the PHI that it may include in a facility directory and the persons to whom it may disclose such information and provide the patient with the opportunity to restrict or prohibit the disclosure. When the opportunity to object cannot practically be provided because the patient is incapacitated or is receiving emergency treatment, facility directory disclosures may be made if such disclosure is consistent with a prior expressed preference of the patient, if any, that is known to the covered entity and in the individual's best interest as determined by the covered entity, in the exercise of professional judgment.

Note that patient authorization is required to disclose PHI to the media, unless the disclosure fits into one of the exceptions discussed above. Covered entities should be mindful of HIPAA’s minimum necessary requirements when making the above disclosures. 

For more information, see HHS’ Bulletin: HIPAA Privacy and Novel Coronavirus and the applicable HIPAA regulations at 45 C.F.R. § 164.506, 45 C.F.R. § 164.510, and 45 C.F.R. § 164.512. Note: This summary discusses how HIPAA permits covered entities to use and disclose PHI without authorization. Federal law 42 C.F.R. Part 2 (Part 2), applicable to certain substance use disorder information, and state law can be, and often is, more stringent than HIPAA. Part 2 will require individual authorization for most of the disclosures discussed above. If a more stringent state privacy law requires individual authorization to use or disclose the information, individual authorization will be required unless state authorities issue a waiver of such requirements under an emergency order or such disclosure is required under another state law, such as an infectious disease or public health related reporting law.  We recommend reviewing applicable state health department websites for additional information on COVID-19 reporting requirements.