December 3, 2022

Volume XII, Number 337


December 02, 2022

Subscribe to Latest Legal News and Analysis

December 01, 2022

Subscribe to Latest Legal News and Analysis

Relaxing Of HIPAA Laws During COVID-19 Pandemic

In light of the ongoing COVID-19 pandemic and the need for an informed and coordinated public health response, U.S. Secretary of Health and Human Services (HHS) Alex Azar has declared a limited waiver of the following provisions of the HIPAA Privacy Rule. Beginning March 15, 2020, these provisions have been waived:

  • Requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care

  • Requirement to honor a request to opt out of the facility directory

  • Requirement to distribute a notice of privacy practices

  • Patient's right to request privacy restrictions 

  • Patient's right to request confidential communications

This limited waiver is designed to facilitate the disclosure of patients’ protected health information in a number of specific circumstances connected to the ongoing pandemic

This waiver issued by Secretary Azar only applies under limited circumstances and is applicable:

  • In the emergency area identified in the public health emergency declaration

  • To hospitals that have instituted a disaster protocol

  • For up to 72 hours from the time the hospital implements its disaster protocol. If the public health emergency declaration is terminated by the President or the Secretary before the end of this 72-hour period, then the hospital must return to compliance with the provisions of the Privacy Rule.

Even without the waiver, the HIPAA Privacy Rule outlines a number of situations that permit a covered entity to disclose limited patient protected health information – at times without the patient’s consent – to individuals and entities other than the patient. Clients should consider reviewing the following list of permitted disclosures under the Privacy Rule in the event that they become relevant as the COVID-19 situation unfolds.

Treatment of Patients

Without the patient’s authorization, covered entities may disclose a patient’s protected health information as necessary for the purpose of the treatment (including the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment) of that patient or another patient. 

Public Health Activities

Public health authorities and others responsible for ensuring public health and safety may access protected health information that is necessary to carry out their public health mission, and as such, individual authorization by patients is not required in a number of circumstances:

  • Covered entities may disclose patient’s health information to public health authorities such as the CDC or a state or local health department authorized by law to collect or receive such information. 

  • If a public health authority such as the CDC or a state or local health department directs the covered entity to do so, a covered entity may disclose protected health information to a foreign government agency that is collaborating with the domestic public health authority to address a matter of public health. 

  • If authorized by state law or a public health authority, a covered entity may disclose protected health information of a patient to persons at risk of contracting or carrying a communicable disease as necessary to prevent the further spread of the disease.

  • If authorized by state law or a public health authority, a covered entity may disclose protected health information as necessary to other parties engaged in undertaking public health interventions or investigations. 

Disclosures to Family, Friends and Others Involved in an Individual’s Care and for Notification

A covered entity may share a patient’s protected health information:

  • With the patient’s family members, friends, or other persons identified by the patient as involved in the patient’s care

  • As necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death

  • If necessary and in cases of sufficient interest and concern, in an attempt to identify, locate, and notify anyone responsible for a patient by disclosing information to the police, the press, or the public at large

Patient Incapacity

If possible, the covered entity should seek and attain verbal permission from patients or their representatives. If a patient, however, is incapacitated or in some other way unavailable, covered entities may share the patient’s private health information for limited purposes:

  • With family, friends, and others involved in the patient’s care if doing so would be in the best interests of the patient, according to patient’s healthcare provider’s professional judgment

  • With disaster relief organizations such as the American Red Cross that are authorized by law or by their charters to assist in disaster relief efforts 

Disclosures to Prevent or Lessen a Serious and Imminent Threat

HIPAA’s Privacy Rule expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. Consistent with applicable state law and professional standards of professional ethical conduct, healthcare providers may share information with anyone as necessary to avert or mitigate a serious and imminent threat to the health and safety of other individuals. 

Disclosures to the Media and Others

Covered entities, according to the rules, should not disclose specific information about the treatment (including, but not limited to, a patient’s test results and specific details of an individual’s condition or illness) of an identifiable patient to the media or other individuals not involved in the patient’s care without the written, HIPAA-compliant authorization of the patient or the patient’s representative, except in such specific circumstances: 

  • If a patient has not objected to or otherwise restricted the release of their own protected health information and the media or another individual or individuals request information about that particular patient by name, a covered entity may at their discretion acknowledge that the patient is receiving care in the facility, release limited facility directory information, and may provide information about the patient’s condition in broad and general terms such as “critical,” “stable,” “deceased,” or “treated and released.”

  • If a patient is incapacitated, covered entities may also disclose information to the media and to other individuals not involved in the patient’s care only if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. 

“Minimum Necessary Rule”

Excluding disclosures to healthcare providers for the purposes of treatment of the patient or others, all disclosures of protected health information that are not authorized by the patient are subject to HIPAA’s “minimum necessary” rule – which applies equally to disclosures made under the public health emergency waiver.

  • Under the “minimum necessary” rule, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose of the disclosure.

  • Internally, covered entities should apply role-based policies limiting the access to patient’s protected health information only to members of the workforce who need the information to perform their duties or whose health and safety may be jeopardized by failure to disclose such information.

  • When a patient’s protected health information is requested by a public health authority, covered entities may rely on representations from that authority or another relevant public official that the requested information is the minimum necessary to fulfill the purpose of the request. 

Finally, in the COVID-19 & HIPAA Bulletin, the Secretary specifies that a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose. 

© 2022 BARNES & THORNBURG LLPNational Law Review, Volume X, Number 78

About this Author

Heather Delgado Healthcare Attorney

Healthcare providers depend upon Heather Delgado for her commitment to responsiveness and practical legal advice. Heather focuses on finding the right solution for her clients. She is valued for her ability to overcome the obstacles her clients face and for her skill in applying complex laws and regulations to their business practices.

Heather’s experience includes the representation of healthcare providers, including hospitals, health systems, specialty hospitals, ambulatory surgery centers, multi- and single-specialty medical practices, and a wide variety of healthcare...

Laura D. Seng, Barnes Thornburg Law Firm, South Bend, Healthcare Attorney

Laura Seng is a partner in Barnes & Thornburg LLP’s South Bend, Indiana, office and is the chair of firm's national Healthcare Department. Ms. Seng concentrates her practice in regulatory compliance, transactional matters and medical-legal business issues for healthcare entities and individual providers. She is listed as a notable healthcare lawyer by Best Lawyers in America® and was recognized by her peers in Indiana Super Lawyers® as a “Rising Star” in healthcare law.  

Ms. Seng represents hospitals, physicians, multi-specialty clinics and healthcare...

Alexandra Dumezich Healthcare Lawyer Barnes & Thornburg Law Firm

Allie Dumezich focuses her practice on helping clients in the healthcare field navigate that consistently evolving landscape. Using her health sociology background, Allie helps clients analyze data and understand how population and health trends might affect hospitals and other healthcare entities.

With a long-standing interest in health data and its uses, patient privacy and the intersection of the two, she works closely with healthcare attorneys to research hospital policy, payment structures of insurance plans, HIPAA compliance, and compliance with Medicaid and Medicare laws....