By: Andrew Eills and Jason Gregoire
March 13, 2020
With President Trump’s implementation of a travel ban on European travelers, calls for a ban on large gatherings, the creation of “exclusion zones,” recommendations for “social distancing,” the cancellation of festivals and sporting events, colleges and universities sending students home for the semester, a stock market in decline, and 37 confirmed US deaths, we are just beginning to feel the effects of the coronavirus (the disease known as “COVID-19”).
As federal and state health authorities such as the Centers for Disease Control and Prevention work to track, contain, and understand the spread of COVID-19, they may seek protected health information (“PHI”) from businesses of all types. Given that the World Health Organization has officially labeled the spread of COVID-19 as a pandemic, HIPAA covered entities (health care providers, health plans and health care clearinghouses) and their business associates (contractors of covered entities who use or disclose PHI in the course of their work for a covered entity) should be aware of the applicable privacy rules regarding disclosure of PHI during a public health emergency.
It is important to remember that HIPAA only applies to covered entities and their business associates, and that the law does not apply to companies just because they possess health information about employees in employment records. In other words, a company is not subject to HIPAA simply because it receives health information concerning employees such as confirmation that an employee has tested positive for COVID-19.
The US Department of Health and Human Services has released a Bulletin: HIPAA Privacy and Novel Coronavirus, which discusses different circumstances under which covered entities and business associates may disclose PHI without a patient authorization (the “Bulletin”). In general, the Bulletin reminds covered entities that HIPAA still applies during a public health emergency. The Bulletin also explains that while a written patient authorization is generally required to disclose PHI, in times of pandemic covered entities may disclose patients’ PHI without written authorization including disclosures for treatment, coordination of care, and referrals for additional treatment. Below is a summary of important points from the Bulletin.
Covered Entities and Business Associates May Disclose PHI to Public Health Authorities for Public Health Activities
Under the HIPAA Privacy Rule, covered entities and business associates may disclose PHI to a public health authority when such authority is allowed by law to seek PHI for public health activities. A “public health authority” includes an agency of the US government, a State, a territory, or political subdivision of a State or territory, responsible for public health matters, as well entities acting under grants of authority from public health agencies. A “public health activity” includes reporting of disease, public health investigations, public health surveillance, and public health interventions.
In response to a request for PHI from such an authority, a covered entity or business associate may disclose patients’ PHI for the purpose of controlling the spread of COVID-19. Similarly, in Massachusetts and New Hampshire, covered entities and business associates may disclose PHI to those at risk of contracting COVID-19 because state laws allow public health authorities and health care providers to notify persons at risk in order to control the spread of disease or to carry out a public health intervention.
Covered Entities and Business Associates May Disclose PHI to Avert a Serious or Imminent Threat to Public Health
The Privacy Rule permits covered entities and business associates to disclose—without patient authorization—a patient’s PHI to anyone in a position to lessen or prevent a serious or imminent threat to public health or safety. If the covered entity or business associate, in good faith, believes that such disclosure is necessary, then disclosure may be made to persons deemed “reasonably able” to prevent or lessen the spread of COVID-19.
Covered Entities May Disclose PHI to Family Members, Friends, and Others Involved with a Patient’s Care
A covered entity may disclose PHI to family, friends, or others involved with the care of a patient if either it obtains written or verbal permission from a patient or reasonably infers that the patient does not object to the disclosure. If the patient is incapacitated or unavailable, the covered entity may disclose PHI to family, friends, or others involved in care if it determines that, in its professional judgment, disclosing PHI is in the best interests of the patient, unless the patient previously objected to disclosing PHI to the person involved. For example, a provider may determine, in her professional judgment, that it is in the best interests of an elderly incapacitated patient who has contracted COVID-19 to disclose this fact to the patient’s adult child.
While the “Minimum Necessary” Standard Continues to Apply, Covered Entities and Business Associates May Rely Upon a Public Health Authority’s Determination of “Minimum Necessary” When Disclosing PHI
Covered entities and business associates are familiar with the concept that, in disclosing PHI, the disclosure must be limited to the minimum amount of PHI necessary to accomplish the intended purpose. The Privacy Rule, however, relieves some of the burden on these entities by establishing that, when faced with a request for PHI from a public health authority, the receiving entity may rely upon the public health authority’s determination of what information is the “minimum necessary” information subject to disclosure. For instance, when a request arrives for information pertaining to all patients exposed to—or who have tested positive for—COVID-19, a hospital can assume that the information requested by the public health authority is the minimum amount of PHI necessary.
The COVID-19 outbreak is an evolving situation that changes each day. Covered entities and business associates should adhere to the rules specified above and consult legal counsel if they have questions or concerns about whether to disclose PHI without a patient authorization in order to respond to this public health emergency. They should also consider other applicable state and federal privacy laws such as 42 CFR Part 2, which may be more restrictive than HIPAA and require patient authorization or a court order before disclosure of PHI.
 U.S. Department of Health and Human Services, BULLETIN: HIPAA Privacy and Novel Coronavirus (February 2020) https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
This article is intended to serve as a summary of the issues outlined herein. While it may include some general guidance, it is not intended as, nor is it a substitute for, legal advice.
Please contact attorney Andrew Eills or attorney Jason Gregoire if you have questions about how this law applies to your workplace.