HIPAA Guidelines and the age of COVID-19

Covid has changed the face of Healthcare and HIPAA is evolving with it.

HIPAA is widely known for its Privacy Rule, which safeguards protected health information (PHI) of individuals from disclosure by healthcare providers, insurance companies, and other covered entities. In response to the COVID-19 pandemic the department of Health and Human Services (HHS) has issued special guidance with respect to the sharing of information about patients, including people infected with the COVID-19 virus.

For covered entities, the exceptions granted by HHS fall under two categories. First, HHS guidance provides for the sharing of information about COVID-infected patients with law enforcement, paramedics, and other first responders; as well as with public health authorities at the national, state, and local levels. Secondly, HHS has issued guidance that enables covered entities to share PHI with Health Information Exchanges (HIEs) under specific circumstances. Below we’ll detail those circumstances.

First Responders & Public Health Authorities

Within limited factors, HHS guidance permits the disclosure of information about infected patients to law enforcement, paramedics, and other first responders, as well as with public health authorities (PHAs).

Specifically:

  • When the disclosure is needed to provide treatment. For example, infection status may be disclosed to ambulance personnel transporting a patient with COVID who accordingly requires specific treatment.
  • When such notification is required by law. If state law requires such notification, for example, it is not considered a violation of the HIPAA Privacy Rule.
  • To notify a public health authority in order to prevent or control spread of disease.
  • When first responders may be at risk of infection. For example, a covered entity may share PHI if they believe that it’s necessary to protect police or fire department personnel, child welfare or mental health workers, or others performing a public health and safety function, provided that the covered entity believes in good faith that the disclosure is necessary to prevent or minimize the threat of exposure to those personnel.
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. In other words, when first responders need to know about a possible infection in order to protect others.
  • When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual.

Although HHS guidance allows for the sharing of PHI under the circumstances mentioned above, covered entities are still responsible for making reasonable efforts to limit the amount of information they disclose, and the parties to whom they disclose it. HHS requires that the “minimum necessary” disclosures be made in order to accomplish the intended purpose.

Sharing PHI with Health Information Exchanges (HIE)

The second category of guidance relates to Health Information Exchanges (HIEs), which are organizations that facilitate the sharing of electronic protected health information (ePHI) among > two unaffiliated entities. Generally, these exchanges exist for the purpose of facilitating treatment, payment, or health care operations, but they may also report information to public health authorities (PHAs) and perform statistical analysis of the data they collect.

Covered entities may share information with HIEs under the following situations:

  • When the disclosure is required by law. If state law requires such disclosure, for example, it is not considered a violation of the HIPAA Privacy Rule.
  • When the HIE is a business associate of the covered entity (or of another business associate) that wishes to provide PHI to a PHA. For example, if the covered entity directs the HIE to report PHI to the department of public health at the local or state level, as a measure aimed at protecting public health from the spread of COVID-19.
  • When an HIE is acting under a grant of authority or contract with a PHA for a public health activity For example, if a state public health agency contracts with an HIE to collect data from healthcare providers, those providers may share PHI with the HIE in accordance with that program, even if they don’t have a business associate relationship with the HIE.