HIPAA compliance and the COVID-19 pandemic

Section 1135 HIPAA waiver

In light of the COVID-19 outbreak, the Secretary of the U.S. Department of Health and Human Services (HHS) waived certain provisions of the HIPAA Privacy Rule.  The Secretary waived sanctions and penalties arising from a hospital’s noncompliance with the following:

  • The requirement to obtain a patient’s agreement to speak with family members or friends;
  • The requirement to honor a patient’s request to opt out of the facility directory;
  • The requirement to distribute a notice of privacy practices;
  • The patient’s right to request privacy restrictions; and
  • The patient’s right to request confidential communications.

The Section 1135 waiver took effect on March 15, 2020, and it only applies: 1) in the emergency area identified in the public health emergency declaration (the public emergency declaration in response to COVID-19 is for the entire United States); 2) to hospitals that have instituted a disaster protocol; and 3) for up to 72 hours from the time the hospital implements its disaster protocol.  In addition, the waiver is effective only if actions under the waiver do not discriminate on the basis of the patient’s source of payment or ability to pay.

Sharing patient information

Even without the 1135 waiver, the HIPAA Privacy Rule already allows patient information to be shared for certain purposes and subject to certain conditions.  The Office for Civil Rights (OCR) at HHS issued a bulletin providing information on the ways that covered entities and business associates may share protected health information (PHI) under the HIPAA Privacy Rule during a public health emergency.  A “covered entity” under HIPAA is generally a healthcare provider, health plan and healthcare clearing house.  The bulletin is available here.

  • Treatment. Covered entities may disclose PHI about the patient as necessary to treat the patient or to treat a different patient.
  • Public health authorities. The Privacy Rule permits covered entities to disclose needed PHI, including:
    • To a public health authority that is authorized by law to collect or receive such information.
    • To persons at risk of contracting or spreading a disease if other law authorizes it to prevent or control the spread of the disease or carry out public health activities.
    • Disclosures to family, friends, and others involved in individual’s care and for notification.  A covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.  A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.
    • Disclosures to prevent a serious and imminent threat. Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and the provider’s standards of ethical conduct.

For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose.  In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.

Sharing patient information to first responders and others

OCR issued additional guidance on how covered entities may disclose PHI about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the HIPAA Privacy Rule.  The guidance provides examples of  the circumstances that a covered entity may disclose PHI, including: when needed to provide treatment; when required by law; when first responders may be at risk for an infection; and when disclosure is necessary to prevent or lessen a serious and imminent threat.  The guidance is available here.

If you have questions about HIPAA or other healthcare regulatory matters, please do not hesitate to contact your McAfee & Taft Healthcare attorney.