July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

Managing the Commercial Impact of the Coronavirus: Implications for Health Care

“In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization[.]” (Department of Health and Human Services, commenting on HIPAA’s limitations on disclosing COVID-19 related patient information)

The coronavirus (provisionally named SARS-CoV-2, with its disease being named COVID-19) has now been documented in more than 100 countries and territories. Over 120,000 cases have now been documented across the globe, resulting in more than 4,000 deaths, with cases outside of China tripling in just the past week. In the United States, there have been more than 1,000 reported cases across at least 23 states, resulting in 29 deaths. The coronavirus has impacted domestic and foreign travel, as the Centers for Disease Control and Prevention has issued a Warning - Level 3 (Avoid Nonessential Travel) for travel to China, Iran, South Korea and Italy, and has issued an Alert - Level 2 (Practice Enhanced Precautions) for travel to Japan. In addition, many businesses have imposed restrictions on domestic and foreign employee travel. Twitter, Amazon, Salesforce and Nike, in addition to scores of manufacturers and professional service firms, are among the companies banning certain employee travel due to the coronavirus. Many colleges and universities across the globe, including in the United States, have suspended in-person classes and certain events through various dates into April, urging those on campus to practice appropriate “social distancing” in order to stop or slow down the spread of the coronavirus. 

To remind covered entities of the parameters around disclosing protected health information (PHI) without individual authorization, the Department of Health and Human Services (HHS) has released a Bulletin: HIPAA Privacy and Novel Coronavirus. The Bulletin outlines various ways that PHI related to COVID-19 may be disclosed without patient authorization.

For background, HIPAA and its implementing regulations require that covered entities obtain written individual authorization before using and disclosing PHI, unless an exception applies. HIPAA applies only to covered entities (health plans, most health care providers, and health care clearinghouses) and their business associates. It does not apply to employers using and disclosing information about their employees that are held in employment records (as opposed to the records of the employer’s health plan). That is, an employer is not regulated by HIPAA simply because the employer receives health-related information of an employee, such as that the employee has tested positive for COVID-19. (This information could be governed by other privacy laws, however.)

HIPAA has a number of exceptions to the authorization requirement that may be relevant to covered entities treating patients with COVID-19. Here are some of the most common questions covered entities are asking:

Can we use and disclose PHI for treatment purposes without patient authorization? Yes. Covered entities are permitted to use and disclose PHI for treatment purposes without individual authorization. This includes using and disclosing PHI for treatment of the patient or other patients.

Can we disclose PHI to the CDC or a state or local health department without patient authorization? Yes. HIPAA permits covered entities to disclose PHI without individual authorization to a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease.

Can we notify persons who might have been exposed to COVID-19? Yes, under certain circumstances. Covered entities may disclose PHI to a person who may have been exposed to COVID-19 or may otherwise be at risk of contracting or spreading COVID-19, if other law (such as state law) authorizes the covered entity to notify such person. In addition, HIPAA permits a covered entity to disclose PHI to a person reasonably able to prevent or lessen a threat, if the covered entity believes in good faith that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Note that good faith is presumed if the belief is based upon the covered entity's actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.

Can we provide information to a patient’s family, friends, or other involved in the patient’s care? Generally speaking, HIPAA permits covered entities to disclose information directly relevant to a person’s involvement in a patient’s care if the patient agrees, does not object when presented with an opportunity to object, or the covered entity reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure. When patients are not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the patient’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the patient and, if so, disclose only the PHI that is directly relevant to the person's involvement with the patient’s care.

How can we respond if someone calls asking for a patient’s current condition? If someone calls and asks for a patient by name, the covered entity may disclose the patient’s location in the facility and condition described in general terms that does not communicate specific medical information about the patient (e.g., critical or stable, deceased, or treated and released). The covered entity must inform the patient of the PHI that it may include in a facility directory and the persons to whom it may disclose such information and provide the patient with the opportunity to restrict or prohibit the disclosure. When the opportunity to object cannot practically be provided because the patient is incapacitated or is receiving emergency treatment, facility directory disclosures may be made if such disclosure is consistent with a prior expressed preference of the patient, if any, that is known to the covered entity and in the individual's best interest as determined by the covered entity, in the exercise of professional judgment.

Note that patient authorization is required to disclose PHI to the media, unless the disclosure fits into one of the exceptions discussed above. Covered entities should be mindful of HIPAA’s minimum necessary requirements when making the above disclosures. 

For more information, see HHS’ Bulletin: HIPAA Privacy and Novel Coronavirus and the applicable HIPAA regulations at 45 C.F.R. § 164.506, 45 C.F.R. § 164.510, and 45 C.F.R. § 164.512. Note: This summary discusses how HIPAA permits covered entities to use and disclose PHI without authorization. Federal law 42 C.F.R. Part 2 (Part 2), applicable to certain substance use disorder information, and state law can be, and often is, more stringent than HIPAA. Part 2 will require individual authorization for most of the disclosures discussed above. If a more stringent state privacy law requires individual authorization to use or disclose the information, individual authorization will be required unless state authorities issue a waiver of such requirements under an emergency order or such disclosure is required under another state law, such as an infectious disease or public health related reporting law.  We recommend reviewing applicable state health department websites for additional information on COVID-19 reporting requirements.

© 2020 Foley & Lardner LLPNational Law Review, Volume X, Number 71


About this Author

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Jennifer L. Rathburn iFoley & Lardner LLP Milwaukee data protection programs, data incident management lawyer

Jennifer L. Rathburn is a partner with Foley & Lardner LLP. Ms. Rathburn focuses on counseling clients on data protection programs, data incident management, and breach response and recovery, as well as the monetization of data, the Health Insurance Portability and Accountability Act (HIPAA), and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational, and legal issues companies must address to maintain the confidentiality of, access to, and integrity of their data.

As a member of the firm’s Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices, Jennifer routinely helps clients prepare for and respond to data security incidents, from preparing incident response plans, advising on cybersecurity programs, and handling the breach notification response process. Her depth of experience in this area and her collaboration with IT, risk, forensic, dark web, communication/PR, and other data experts provides a multi-disciplinary, practical approach to client issues.

Additionally, Jennifer guides clients in all aspects of preparing for and maintaining compliance with U.S. privacy and data security laws as well as the EU’s General Data Protection Regulation (GDPR). Such efforts include conducting readiness assessments; performing data mapping and inventory; reviewing and revising privacy, data security, and incident response policies and plans; updating customer- and employee-facing privacy and consent notices as well as third-party vendor templates and agreements; evaluating the appointment of a Data Protection Officer; and educating and training board members, staff, and other key stakeholders.

Ann Marie Uetz, Foley Lardner, Debtor Representation, Bankruptcy Lawyer

Ann Marie Uetz is a partner and trial attorney with Foley & Lardner LLP, where she represents clients in a variety of industries in all aspects of their contracts and business disputes. She also represents debtors, creditors and secured and unsecured lenders in all facets of restructuring. Ms. Uetz focuses her practice on business litigation and bankruptcy, two of Foley’s practice areas recently ranked by U.S. News—Best Lawyers® as “national First-Tier” practices in recognition of excellence in client service.