As such, the Office for Civil Rights at the U.S. Department of Health and Human Services has recently shared an updated bulletin reminding health care providers of the ways in which patient information can be shared under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. As per the HIPAA rule, the notice recognizes the need for public health officials to have access to protected medical information as a method of protecting the health and safety of both individual patients and the public at large. As such, it permits covered entities to disclose protected health information without authorization when mandated necessary.
Guidelines for Sharing Patient Information
The HIPAA Privacy Rule is intended to protect the privacy of patients’ health information, with exceptions made for appropriate disclosures of information when necessary to treat a patient, protect the nation’s public health, and for other critical purposes. In the case of a global pandemic, such disclosures may be warranted more frequently as public health organizations and government officials rely on patient health information to inform their directives.
Serving as a reminder of the protections of the Privacy Rule which are not set aside during an emergency, the latest bulletin provides essential guidance for health care providers. The latest HIPAA regulations are outlined below and can be found on the U.S. Department of Health and Human Services’ website as well.
Treatment Information
Under the Privacy Rule, HIPAA-covered entities may disclose protected health information about a patient as necessary to treat both the patient and other patients without authorization. This includes the coordination and management of care as well as all other related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.
Public Health Activities
The act recognizes the legitimate need for public health officials and others responsible for ensuring public health and safety have to access protected health information that is necessary to carry out their mission. Under the Privacy Rule, covered entities can disclose the needed health information without patient authorization to public health authorities, at the direction of a public health authority to foreign government agencies, and to persons deemed at risk.
Health care providers are permitted to disclose such information to a public health authority – an agency or authority of the United States government, a State or a territory responsible for public health – as well as an individual acting under a grant of authority from such an agency. This includes the CDC or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. Examples include the reporting of disease of injury and vital events (such as births or deaths) or conducting public health surveillance, investigations, or interventions.
Under these regulations, a covered entity may disclose to the CDC protected health information as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19. Furthermore, protected information may be disclosed to individuals deemed at risk of contracting or spreading the virus – if allowed for by state law – to notify persons as necessary and prevent the spread of disease.
Disclosures to Family Members and Others
According to the HIPAA Privacy Rule, a covered entity may share protected health information with a patient’s family members, relatives, friends, or other involved individuals. Information may also be shared to identify, locate, and notify anyone responsible for the patient’s care, as well as to convey the patient’s location, general condition, or death. Recipients of this information can include family members and other persons involved in the patient’s life, the police, the press, or the general public. Furthermore, a covered entity may share protected medical information with disaster relief organizations, such as the American Red Cross. However, the covered entity should receive verbal permission from patients when possible before disclosing such information.
Disclosures to Prevent Serious and Imminent Threat
Clinicians are permitted to share protected patient information with anyone to prevent or lessen a serious and imminent threat to the health and safety of a person or the public under applicable law and standards of ethical conduct. Providers may disclose information to anyone who is in a position to prevent or lessen imminent threat without prior permission. Although, in such cases, health care professionals are urged to use professional judgement and care in making determinations about the severity of imminent threat.
Disclosures to Media or Others Not Involved
Unless otherwise noted in the bulletin, clinicians cannot disclose information about an identifiable patient to the media or public at large without written authorization from the patient or their personal representative. However, covered entities may disclose limited medical information in cases of incapacitated patients. Additionally, information can be shared about patients who have not restricted the release of protected health information if this is done in the best interest of the patient or in response to a request to disclose information about a particular patient asked for by name.
Share “Minimum Necessary”
In the majority of cases, information disclosed should be kept at a “minimum necessary” although this does not apply to disclosures to health care providers for treatment purposes. Under the Privacy Rule, covered entities may rely on representations from public health officials to ensure the requested information is the minimum necessary. For example, covered entities may rely on CDC representations that protected health information requested by the CDC about all patients exposed to, suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose.
Safeguarding Patient Information
Medical professionals must prioritize safeguarding patient information; clinicians are responsible for protecting patient health information against intentional or unintentional impermissible uses and disclosures. Covered entities must apply the administrative, physical, and technical safeguards outlined under the HIPAA Security Rule to ensure the confidentiality of electronic medical data.
HIPAA-Covered Entities and Business Associates
Lastly, the HHS’ bulletin reminds clinicians of who the HIPAA Privacy Rule applies to. Currently, the Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or its business associate’s workforce. This includes health plans, health care clearinghouses, as well as health care providers that conduct one or more covered health care transactions electronically. Under the rule, business associates are defined as individuals or entities that perform functions or activities on behalf of or provide services to a covered entity that involve the use of protected health information. These also include subcontractors working on behalf of other business associates.
As such, the Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates, such as third-party administrators.
Understanding and following HIPAA rules is crucial to navigating the increasingly complex clinical setting during the global COVID-19 pandemic. Health care professionals are urged to treat all medical information as confidential, affording it HIPAA protections to operate out of an abundance of caution. Disclosures of protected health information should be made only to authorized personnel and care should be taken to ensure patient data is not shared unintentionally. During these tumultuous times, public health organizations and experts will continue to release the latest guidance as it becomes available to help health care providers tackle the disease while protecting themselves.