No doubt HIPAA covered entities, including healthcare organizations, healthcare clearinghouses, health plans, and business associates of covered entities, have a lot of questions concerning HIPAA compliance and the COVID-19 coronavirus cases. There might be misunderstandings regarding the sharing of information of people who have gotten COVID-19 and those possibly exposed to the 2019 Novel Coronavirus, and with whom data may be shared.
HIPAA Compliance and the COVID-19 Coronavirus Pandemic
There is obviously consternation regarding HIPAA compliance and the COVID-19 Coronavirus pandemic as well as the application of the HIPAA Privacy Rule and Security Rule. Since the start of the HIPAA, there has been no disease outbreak on this enormity ever encountered.
It is essential to take note that the HIPAA Privacy and Security Regulations still apply in the course of a public health emergency like a disease outbreak, and this is applicable to HIPAA compliance and COVID-19. The HIPAA Security Rule makes certain the safety of the protected health information (PHI) of patients and calls for reasonable safety measures to be enforced to prevent impermissible uses and disclosures. The HIPAA Privacy Rule limits the uses and disclosures of PHI to those associated to a treatment plan, bill payment, and healthcare procedures.
Whenever public health emergencies are announced, it is typical for the Secretary of the HHS to give partial HIPAA waivers in areas affected by the emergency. In these situations, particular terms of the HIPAA Privacy Rule are suspended for 72 hours since the time a HIPAA-covered entity follows its disaster procedures. As of March 16, 2020, the Secretary of the HHS has not announced any HIPAA suspensions. Even with no HIPAA waiver, the HIPAA Privacy Rule allows sensible uses and disclosures of patients’ sensitive data.
In February 2020, OCR published a bulletin regarding the 2019 Novel Coronavirus, which confirms what the HIPAA Privacy Rule permits when it comes to sharing patient data while in emergency scenarios, like an infectious disease outbreak. The bulletin summary is detailed below.
Allowed Uses and Disclosures of PHI in Emergency Situations
PHI disclosure is permitted without first getting patient consent for treatment purposes. Disclosures are additionally allowed for coordinating care, for patient referrals, and consultations with other medical experts.
With a condition like COVID-19, it is important to alert public health authorities as they require the details so as to ensure the health and safety of the public. It is allowable to share PHI with public health authorities including the Centers for Disease Control and Prevention (CDC) and others in charge of making sure of the security of the public, like state and local health departments. In these situations, PHI can be disclosed without acquiring consent from a patient.
Disclosures of PHI are likewise allowed to avoid and minimize a serious and impending threat to a particular individual or the public, so long as such disclosures are allowed by other rules. These sorts of disclosures do not need consent from a patient. In such instances, it is the discretion of the medical specialists to evaluate the nature and the seriousness of the threat.
Disclosures of Data to Persons Engaged in a Patient’s Care
The HIPAA Privacy Rule allows disclosures of PHI to people engaged in the health care of a patient like friends, family, caregivers, and other people that the patient identified.
HIPAA covered entities are furthermore allowed to share patient data so as to identify, find, and alert family members, guardians, and other people in charge of the patient’s treatment, regarding the patient’s whereabouts, general condition, or demise. That consists of sharing data with authorities, the media, or even the general public.
In such instances, verbal authorization must be acquired from the patient prior to the disclosure. A healthcare expert should otherwise be able to sensibly infer, using expert judgment, that the patient doesn’t object to a disclosure that is identified to be for the patient’s best interest.
Information may furthermore be shared with disaster relief agencies that are approved by law or charters to help in disaster relief initiatives, for example for organizing the notice of family members or other individuals concerned in the patient’s treatment regarding the location of a patient, their condition, or demise.
The HIPAA Minimum Required Standard Applies
Healthcare specialists should make reasonable efforts to make sure that shared PHI is limited to the minimum required information to accomplish the objective for which the data is being disclosed.
When a public health authority or official asks for the data, covered entities can count on representations from the public health official or authority that the asked for details is the minimum required amount, when that reliance is sensible based on the conditions.
Disclosures With Regards to COVID-19 Patients to the Press
HIPAA is not applicable to press disclosures related to infections, however, HIPAA is applicable to disclosures of HIPAA-covered entities and their business associates to the press. In such instances, the HIPAA-covered entity or business associate may give restricted information in case there is a request regarding a patient by name. The details disclosed ought to be restricted to the general condition of the named individual and the specific area in the facility, given that the disclosure is in line with what the patient desires. The standing of the patient must be described using terms like undetermined, fair, good, critical, serious, treated and released, treated and moved, or dead.
All other data should not be shared with the media or any person not engaged in patient care without first acquiring written permission from the patient concerned.
Disclosures of Data Concerning COVID-19 by Non-HIPAA Covered Entities
It is important to note that HIPAA simply is applicable to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. Other entities are not constrained to share information concerning the 2019 Novel Coronavirus and COVID-19; nevertheless, while HIPAA may not be applicable, other federal and state regulations may do.
The HIPAA Privacy Rule covers the communications between companies and workers. HIPAA is not applicable in case a worker informs an employer that he or she has contracted COVID-19 or are on self-quarantine since they are showing signs of COVID-19. HIPAA is applicable in case a hiring manager is told about a worker testing positive by the health plan of the company.