On February 3, 2020, in response to the coronavirus outbreak, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued a bulletin with guidance on HIPAA compliance in the context of an outbreak of an infectious disease or other emergency situation.
OCR has issued this bulletin to remind physicians and healthcare organizations, or covered entities, about “the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation.” The agency emphasizes that “the protections of the Privacy Rule are not set aside during an emergency.” However, the regulation “is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health and for other critical purposes.”
The OCR release outlines protocol for sharing patient information under the following circumstances:
- Treatment: Healthcare “entities may disclose, without a patient’s authorization, protected health information (PHI) about the patient as necessary to treat the patient or to treat a different patient.” This includes coordination of care, provider consultation and referrals.
- Public health activities: Healthcare organizations are permitted to disclose PHI without individual consent when reporting information to a public health authority, such as the CDC or a state or local health department, to a foreign government agency acting in collaboration with a pubic health authority and to people at risk of spreading or contracting the disease.
- Disclosures to family, friends and others involved in an individual’s care and for notification: “A covered entity may share protected health information with a patient’s family members, relatives, friends or other persons identified by the patient” who are involved in the patient’s care. Additionally, PHI can be shared in order to “identify, locate and notify family members, guardians or anyone else responsible for the patient’s care.”
- Disclosures to prevent a serious and imminent threat: “Providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers and law enforcement without a patient’s permission.”
- Disclosures to the media or others not involved in the care of the patient/notification: With the exception of limited circumstances, “affirmative reporting to the media or the public at large about an identifiable patient… may not be done without the patient’s written authorization.”
OCR notes that almost all disclosures require a provider to “make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary.’” Even in emergency situations, “entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional” disclosure.
Click here to read the full OCR announcement.
MLMIC offers a number of resources that can help policyholders adhere to HIPAA regulations:
- New Cybersecurity Protocol for New York State Healthcare Organizations, a blog post on updated New York State protocol for safeguarding private patient information;
- Breach Notification Under HIPAA – When Health Information is Compromised, a blog post with guidance on properly responding to a breach of PHI;
- Maintaining Patient Confidentiality, a risk management tip for protecting PHI; and
- Security of Patient Information and Health Information Technology, a risk management tip for securing PHI electronically.