Our Employment, Labor & Benefits colleagues recently blogged on the coronavirus and its ramifications for employers impacted by the outbreak. As this is still an active outbreak with cases increasing within the United States, it's a good time to review how HIPAA applies in a public health emergency, including its restrictions and flexibility in these types of situations. Accordingly, last week, the Office for Civil Rights (OCR) released a helpful bulletin on how the HIPAA Privacy Rule comes into play with the coronavirus outbreak and other public health emergencies.
The most important thing to remember is that the basic requirements of HIPAA still apply even in a public health emergency. For instance, health care providers must still uphold the “minimum necessary” standard when treating patients with the coronavirus. A covered entity must make a reasonable effort to disclose only the “minimum necessary” protected health information (PHI) to accomplish the purpose. When a public health authority asks a covered entity to disclose information to it for infectious disease reporting, a covered entity can rely that the request meets the “minimum necessary” standard to meet the authority’s public health purpose. Additionally, just because a public health emergency exists does not mean that covered entities can freely disclose patient information. The HIPAA Privacy Rule permits covered entities to disclose PHI without a patient’s authorization for the purpose of treating the patient.
However, disclosure of PHI to the media or others not involved in the patient’s care is generally not permissible except under certain circumstances. Notwithstanding the above, special rules are activated during a public health emergency. Under certain conditions, which are further detailed in OCR’s recent bulletin, it is permissible to disclose PHI to the following categories of individuals and entities:
-
Public health authorities;
-
Foreign government authorities (at the direction of public health authorities);
-
Persons at risk;
-
Family, friends, police, disaster relief organizations, etc. who are involved in the patient’s care; and
-
Anyone, if it would lessen or prevent a serious and imminent threat to the health and safety of the public at large or an individual person.
As public health agencies are still trying to contain the coronavirus in the U.S. and elsewhere, it is imperative for covered entities and business associates alike to comply with HIPAA while simultaneously balancing a public health emergency. Although HIPAA has taken account for these types of situations, the HIPAA rulebook cannot be set aside and disregarded during this time.