HIPAA Notice of Privacy
HIPAA covered entities – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered entities no doubt have many questions about HIPAA compliance and COVID-19 coronavirus cases. There may be confusion about the information that can be shared about individuals who have contracted COVID-19, those suspected of exposure to the 2019 Novel Coronavirus, and those with whom information can be shared.
HIPAA Compliance and the COVID-19 Coronavirus Pandemic
There is understandably concern about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule apply. In the age of HIPAA, no disease outbreak on this scale has ever been experienced.
It is important to remember that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still apply. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.
When public health emergencies are declared, the Secretary of the HHS may choose to waive certain sanctions and penalties for noncompliance with specific provisions of the HIPAA Privacy Rule.
Secretary Azar has announced that, effective March 15, 2020, a limited HIPAA waiver has is in place covering the following provisions of the HIPAA Privacy Rule:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care – 45 CFR 164.510(b)
- The requirement to honor a request to opt out of the facility directory – 45 CFR 164.510(a);
- The requirement to distribute a notice of privacy practices – 45 CFR 164.520
- The patient’s right to request privacy restrictions – 45 CFR 164.522(a)
- The patient’s right to request confidential communications – 45 CFR 164.522(b)
The HIPAA waiver only applies in areas covered by the public health emergency, only for hospitals that have implemented their disaster protocol, and only for a period of 72 hours from the time that the disaster protocol is implemented. When either the Presidential or Secretarial declaration terminates, hospitals must then comply Privacy Rule requirements for patients still under their care, even if 72 hours have not elapsed.
OCR released a bulletin about the 2019 Novel Coronavirus in February 2020 confirming how patient information may be shared under the HIPAA Privacy Rule during emergency situations, such as the outbreak of an infectious disease, a summary of which is detailed below.
Permitted Uses and Disclosures of PHI in Emergencies
PHI can be disclosed without first receiving authorization from a patient for treatment purposes. Disclosures are also permitted for coordinating and managing care, for patient referrals, and consultations with other healthcare professionals.
With a disease such as COVID-19, it is essential for covered entities to notify public health authorities of an infected patient, as the public health authorities will need information in order to ensure public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for ensuring the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases, PHI may be shared without obtaining authorization from the patient.
Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to a specific person or the public in general, provided such disclosures are permitted by other laws. Such disclosures do not require permission from a patient. In such cases, these disclosures are left to the discretion and professional judgement of healthcare professionals about the nature and the severity of the threat.
Disclosures of Information to Individuals Involved in a Patient’s Care
The HIPAA Privacy Rule permits disclosures of PHI to individuals involved in the care of a patient such as friends, family members, caregivers, and other individuals that have been identified by the patient.
HIPAA covered entities are also permitted to share patient information in order to identify or locate a patient, or to notify family members, guardians, and other individuals responsible for the patient’s care, about the patient’s location, general condition, or death. This can also include sharing information with law enforcement, the press, or even the public at large to identify or locate a patient.
In such cases, verbal permission should be obtained from the patient where possible prior to the disclosure. A healthcare professional must otherwise be able to reasonably infer, using professional judgement, that the patient does not object to a disclosure that is determined to be in the best interest of the patient.
Information may also be shared with disaster relief organizations that are authorized by law or charters to assist in disaster relief efforts, such as for coordinating the notification of family members or other persons involved in the patient’s care about the location of a patient, their condition, or death.
Permitted Disclosures of PHI to First Responders
On March 24, 2020, OCR issued further guidance for covered entities on permitted disclosures of PHI to first responders, law enforcement officers, paramedics, and public health authorities that do not require a HIPAA authorization.
OCR confirmed that disclosures of PHI are permitted to allow individuals to provide treatment to patients, to allow first responders to take steps to reduce the risk of contracting COVID-19, when a disclosure could prevent or lessen a serious and imminent threat, and when required to do so by law. PHI may also be shared with a correctional institution or law enforcement when responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, under certain circumstances.
The guidance document provides examples of permitted disclosures, such as the provision of a list of individuals who have tested positive for COVID-19 with an EMS dispatch to inform EMS personnel responding to a call where there is a risk of infection. 911 call centers are also permitted to share PHI with law enforcement and other first responders about an individual has been exposed to the 2019 Novel Coronavirus or has contracted COVID-19 to allow the first responders to take extra precautions, such as by wearing PPE.
The guidance document – COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities – can be found on this link (PDF).
The HIPAA Minimum Necessary Standard Applies
Aside from disclosures by healthcare providers for the purpose of providing treatment, the ‘minimum necessary’ standard applies. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.
When information is requested by a public health authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, when that reliance is reasonable under the circumstances.
Disclosures About COVID-19 Patients to the Media
HIPAA does not apply to disclosures by the media about infections, but HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such cases, the HIPAA-covered entity or business associate can provide limited information if a request is made about a patient by name. The information disclosed should be limited to the general condition of the named patient and their location in the facility, provided the disclosure is consistent with the patient’s wishes. The status of the patient should be described in terms such as undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased.
All other information may not be disclosed to the media or any individual not involved in the care of a patient without first obtaining written consent from the patient in question.
Disclosures of Information About COVID-19 by Non-HIPAA Covered Entities
It is worth noting that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. There are no restrictions on disclosures of information about the 2019 Novel Coronavirus and COVID-19 by other entities; however, while HIPAA may not apply, other federal and state laws may do.
Healthcare communications between employers and employees are not governed by the HIPAA Privacy Rule, which would not apply if an employee tells an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would only apply if an employer is informed about an employee testing positive for the virus by the employer’s health plan.
Sanctions and Penalties Will Not be Imposed on Business Associates for Uses and Disclosures of PHI for Public Health and Health Oversight Activities
On April 2, 2020, the HHS announced enforcement discretion will be exercised and financial penalties will not be imposed on healthcare providers or their business associates for good faith uses and disclosures of PHI by business associates for public health and health oversight activities during the COVID-19 public health emergency.
The Notice of Enforcement Discretion takes effect immediately and will remain in place until the Secretary of the HHS declares the public health emergency no longer exists. Under the HIPAA Privacy Rule, business associates are only permitted to disclose PHI for public health and health oversight activities if it is specifically stated in their business associate agreements that they are allowed to do so.
The Notice of Enforcement Discretion applies to the HIPAA Privacy Rule Provisions 45 CFR 164.502(a)(3), 45 CFR 164.502(e)(2), 45 CFR 164.504(e)(1) and (5) but only for a good faith use or disclosure of PHI for public health activities by a business associate for public health activities consistent with 45 CFR 164.512(b), or health oversight activities consistent with 45 CFR 164.512(d). The business associate must inform the covered entity about the use of disclosure no later than 10 calendar days after the use or disclosure occurred.
The Notice of Enforcement Discretion only applies to the above provisions of the HIPAA Privacy Rule. The HIPAA Security Rule remains in effect and if a business associate uses or discloses PHI to a public health authority or health oversight agency, the information must be transmitted securely with safeguards implemented to ensure the confidentiality, integrity, and availability of ePHI.
Penalties Waived for the Operation of COVID-19 Community-Based Testing Sites
On April 9, 2020, the HHS issued a Notice of Enforcement Discretion covering the good faith operation of COVID-19 community-based testing sites, such as mobile, walk-up, and drive through testing facilities. Enforcement discretion covers healthcare providers, such as pharmacies, and business associates that participate in the testing of patients and collection of specimens at these sites. The Notice of Enforcement Discretion has a retroactive effect to March 13, 2020 and will continue for the duration of the public health emergency.
Sanctions and penalties have been waived, but it is still important to protect the privacy of patients and ensure the confidentiality, integrity, and availability of all PHI collected, used, stored, or transmitted at these sites. Safeguards should be implemented to protect the privacy of patients, which should include barriers, screens, and canopies to prevent patients using the facilities from being observed. Filming at the facilities should be prohibited, and a buffer zone should be implemented to prevent users of the facility and the public from viewing people being tested.
In order to prevent the spread of SARS-CoV-2, social distancing is necessary. There should be a distance of at least 6 feet between each user of the facility. Social distancing will also help to ensure that conversations between staff and patients cannot be overheard. OCR also recommends posting a notice of privacy practices (NPP) at the facility, and for the notice to include details of where the NPP can be found online.
Providing Telehealth Services During the COVID-19 Pandemic
On March 17, 2020, the HHS’ Office for Civil Rights announced in its Notice of Enforcement Discretion that sanctions and penalties for noncompliance will not be applied in cases of good faith use of telehealth during the nationwide COVID-19 public health emergency.
“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients,” explained OCR. “OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.”
OCR notes that the HIPAA enforcement discretion applies to telehealth services provided for any reason, regardless of whether the service is related to the diagnosis and treatment of health conditions related to COVID-19. The Notice applies to all health care providers covered by HIPAA that provide telehealth services during the emergency.
OCR is not suspending all enforcement activity in relation to the provision of telehealth services, only for good faith use of telehealth during the COVID-19 public health emergency. In cases where HIPAA Rules have not been followed to the letter, OCR will consider all facts and circumstances to determine whether there has been good faith provision of telehealth services.
OCR has confirmed bad faith in the provision of telehealth services would still be subject to penalties and sanctions. Bad faith includes but is not limited to:
- Conducting or furtherance of a criminal act;
- Intentional invasion of privacy;
- Further uses of PHI transmitted during telehealth communications, such as use of PHI for marketing without prior authorization;
- Violations of state licensing laws and professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth;
- Use of public-facing communication products such as Slack, Facebook Live, Twitch, and TikTok, as they do not have sufficient privacy protections as they are designed to be open to the public.
Only non-public communication platforms can be used for telehealth. These platforms are designed only to allow intended parties to communicate – the initiator of the conversation and the intended receiver(s). There are many commercially available solutions that can be used, including remote video communication products such as Facebook Messenger video, Google hangouts video, WhatsApp video chat, and Apple FaceTime. It is also permissible to use text-based messaging solutions such as WhatsApp, Jabber, Facebook Messenger, Google hangouts, and Signal.
These solutions would not necessarily be HIPAA-compliant but can be used during the public health emergency until such point that OCR makes a public announcement that its Notice of Enforcement Discretion is no longer in effect.
Healthcare providers must take steps to ensure that telehealth services are conducted in a private setting. Telehealth services should not be provided in public or semi-public locations. “If telehealth cannot be provided in a private setting, covered health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information,” explained OCR. “Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.”
Further information on the provision of telehealth services during the COVID-19 public health emergency is available from OCR on this link.
Background Information on the SARS-CoV-2 Pandemic and COVID-19
The 2019 Novel Coronavirus has been named Severe Acute Respiratory Syndrome Coronavirus 2 (SARS-CoV-2) and causes Coronavirus Disease 2019 (COVID-19). The virus was first identified in December in Wuhan, in the Hubei province of China. The Chinese government took steps to control the spread of the virus, but it was not possible to contain, and it spread around globe.
The World Health Organization (WHO) declared the outbreak a public health emergency of international concern on January 30, 2020 and declared the outbreak a pandemic on March 11, 2020. HHS Secretary Alex Azar declared the SARS-CoV-2 outbreak a public health emergency for the United States on January 31, 2020 and on March 13, 2020, President Trump declared COVID-19 a national emergency.
SARS-CoV-2 is highly infectious, and COVID-19 has a high mortality rate. The mortality rate is difficult to determine many people infected with SARS-CoV-2 only have relatively mild symptoms and do not seek medical help. Testing has initially been erratic in many locations and tests have been in short supply. Based on the limited data available, the mortality rate ranges from less than 1% to 7%. In early March, WHO estimated a mortality rate of 3.4%; however, the data on which these figures are based may be inaccurate and this is an evolving situation.
One of the main factors that has contributed to the rapid spread of SARS-CoV-2 is the long incubation period before symptoms are experienced, during which time infected individuals can spread the virus. It can take up to 14 days before infected individuals start displaying symptoms. The median incubation time is believed to be around 10 days.
This is a rapidly changing situation that is likely to get considerably worse until the spread of the disease can be curbed. In the absence of a vaccine to provide protection, steps need to be taken by the entire population to limit exposure and prevent the spread of the disease.