HIPAA Compliance and COVID-19 Coronavirus

HIPAA covered bodies – healthcare providers, health plans, healthcare clearinghouses – and business associates of covered bodies no doubt have a lot to consider in relation to HIPAA compliance and COVID-19 coronavirus cases. It could be unclear what information can be shared about people who have contracted COVID-19, those suspected of exposure to the 2019 Novel Coronavirus, and those with whom details can be shared.

HIPAA Compliance & the COVID-19 Coronavirus Pandemic

There is understandably some worry about HIPAA compliance and the COVID-19 Coronavirus pandemic and how the HIPAA Privacy Rule and Security Rule are applicable. In the age of HIPAA, no disease outbreak on this scale has ever been encountered.

It is important to take into account that during a public health emergency such as a disease outbreak, and this applies to HIPAA compliance and COVID-19, that the HIPAA Privacy and Security Rules still are valid. The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and necessitates reasonable safeguards to be put in place to protect PHI against impermissible uses and disclosures. The HIPAA Privacy Rule limits the uses and disclosures of PHI to those linked to treatment, payment, and healthcare operations.

When public health emergencies are announced, the Secretary of the HHS may choose to waive certain sanctions and penalties for noncompliance with specific provisions of the HIPAA Privacy Rule.

Secretary Azar has revealed that, effective March 15, 2020, a limited HIPAA waiver has is in place covering the following provisions of the HIPAA Privacy Rule:

The HIPAA waiver only applies in areas included in the public health emergency, section only for hospitals that have created their disaster protocol, and only for a duration of 72 hours from the time that the disaster protocol is designed. When either the Presidential or Secretarial declaration ends, hospitals must then adhere to the Privacy Rule requirements for patients still under their care, even if 72 hours have not elapsed.

OCR published a bulletin about the 2019 Novel Coronavirus in February 2020 stating how patient information may be shared under the HIPAA Privacy Rule during emergency situations, such as the outbreak of an infectious disease, a summary of which is dealt with below.

Permitted Uses and Disclosures of PHI in Emergencies

PHI can be shared without first receiving authorization from a patient for treatment purposes. Disclosures are also allowed for coordinating and administering care, for patient referrals, and consultations with other healthcare professionals.

With a disease like COVID-19, it is crucial for covered entities to notify public health authorities of an infected patient, as the public health authorities will need information in order to guarantee public health and safety. It is permissible to share PHI with public health authorities such as the Centers for Disease Control and Prevention (CDC) and others responsible for safeguarding the safety of the public, such as state and local health departments. These disclosures are necessary to help prevent and manage disease, injury, and disability. In such cases, PHI may be shared without obtaining permission from the patient.

Disclosures of PHI are also permitted to stop and lessen a serious and imminent danger to a specific person or the public in general, provided such disclosures are permitted by other legislation. Such disclosures do not require permission from a patient. In such instances, these disclosures are left to the discretion and professional judgement of healthcare workers about the nature and the severity of the threat.

Disclosures of Information to People Involved in a Patient’s Treatment

The HIPAA Privacy Rule allows disclosures of PHI to individuals involved in the care of a patient including friends, family members, caregivers, and other individuals that have been names by the patient.

HIPAA covered entities are also permitted to share patient information in order to identify or find a patient, or to notify family members, guardians, and other individuals managing the patient’s care, about the patient’s location, general condition, or passing. This can also include sharing information with law enforcement, the press, or even the public at large to identify or find a patient.

In such scenarios, verbal permission should be obtained from the patient where possible before the disclosure. A healthcare professional must otherwise be able to acceptably infer, using professional judgement, that the patient does not object to a disclosure that is ruled to be in the best interest of the patient.

Information may also be shared with disaster relief groups that are authorized by law or charters to assist in disaster relief efforts, such as for coordinating the contacting of family members or other persons involved in the patient’s care about the location of a patient, their condition, or death.

Permitted Disclosures of PHI to First Responders

On March 24, 2020, OCR made available additional guidance for covered entities on permitted disclosures of PHI to first responders, law enforcement officers, paramedics, and public health authorities that do not require a HIPAA authorization.

OCR confirmed that disclosures of PHI are authorized to allow individuals to provide treatment to patients, to allow first responders to take steps to lessen the risk of contracting COVID-19, when a disclosure could prevent or lessen a serious and imminent threat, and when required to do so by legislation. PHI may also be shared with a correctional institution or law enforcement when responding to a request for PHI by a correctional institution or law enforcement official having legal custody of an inmate or other individual, under certain circumstances.

The guidance document gives examples of permitted disclosures, such as the provision of a list of individuals who have tested positive for COVID-19 with an EMS dispatch to inform EMS personnel responding to a call where there is a risk of infection. 911 call centers are also allowed to share PHI with law enforcement and other first responders about an individual has been exposed to the 2019 Novel Coronavirus or has contracted COVID-19 to allow the first responders to take extra precautions, like wearing PPE.

The guidance docucment can be found on this link (PDF).

The HIPAA Minimum Necessary Standard Applies

Apart from disclosures by healthcare providers for the reason of providing treatment, the ‘minimum necessary’ standard applies. Healthcare workers must make reasonable efforts to ensure that any PHI shared is limited to the minimum necessary information to achieve the aim for which the information is being disclosed.

When information is asked for by a public health authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, when that reliance is reasonable in that event.

Disclosures About COVID-19 Patients to the Press

HIPAA does not apply to disclosures by the press about infections, but HIPAA does apply to disclosures to the media by HIPAA-covered entities and their business associates. In such scenarios, the HIPAA-covered entity or business associate can provide limited information if a request is made regarding a patient by name. The information disclosed should be kept to the general condition of the named patient and their location in the facility, provided the disclosure is consistent with the patient’s wishes. The status of the patient should be referred to in terms such as undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased.

All other data may not be shared to the media or any individual not involved in the care of a patient without first obtaining written permission from the patient in question.

Disclosures of Information About COVID-19 by Non-HIPAA Covered Groups

It is worth remembering that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities, and subcontractors of business associates. There are no limits on disclosures of information about the 2019 Novel Coronavirus and COVID-19 by other groups; however, while HIPAA may not apply, other federal and state laws may do.

Healthcare communications between employers and employees are not governed by the HIPAA Privacy Rule, which would not apply if an employee informs an employer they have contracted COVID-19 or are self-isolating because they are showing symptoms of COVID-19. HIPAA would only apply if an employer is informed about an employee testing positive for the virus by the employer’s health plan.

Providing Telehealth Services During the COVID-19 Crisis

On March 17, 2020, the HHS’ Office for Civil Rights revealed in its Notice of Enforcement Discretion that sanctions and penalties for noncompliance will not be applied in cases of good faith use of telehealth during the nationwide COVID-19 public health emergency.

OCR said: “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.”

OCR states that the HIPAA enforcement discretion applies to telehealth services provided for any purpose, regardless of whether the service is linked to the diagnosis and treatment of health conditions related to COVID-19. The Notice applies to all health care providers governed by HIPAA that provide telehealth services during the emergency.

OCR is not suspending all enforcement activity linked to the provision of telehealth services, only for good faith use of teleheath during the COVID-19 public health emergency. In scenarios where HIPAA Rules have not been followed to the letter, OCR will consider all facts and circumstances to decide if there has been good faith provision of telehealth services.

OCR has confirmed bad faith in the provision of telehealth services would still be subject to fines and sanctions. Bad faith includes but is not restricted to:

  • Committing or furtherance of a criminal act;
  • Invasion of privacy on purpose
  • Further uses of PHI shared during telehealth communications, such as use of PHI for marketing without prior authorization;
  • Breaches of state licensing laws and professional ethical standards that result in disciplinary actions related to the treatment offered or provided over telehealth;
  • Use of public-facing communication products including Slack, Facebook Live, Twitch, and TikTok, as they do not have sufficient privacy protections as they are created to be open to the public.

Only non-public communication platforms can be deployed for telehealth. These platforms are created only to allow intended parties to communicate – the initiator of the conversation and the intended receiver(s). There are many commercially available solutions that can be implemented, like remote video communication products such as Facebook Messenger video, Google hangouts video, WhatsApp video chat, and Apple FaceTime. It is also permissible to use text-based messaging solutions such as WhatsApp, Jabber, Facebook Messenger, Google hangouts, and Signal.

These solutions would not necessarily be HIPAA-compliant but can be at the time of a public health emergency until such point that OCR makes a public announcement that its Notice of Enforcement Discretion is no longer active.

Healthcare providers must follow a process to ensure that telehealth services are conducted in a private setting. Telehealth services should not be given in public or semi-public locations. OCR said: “If telehealth cannot be provided in a private setting, covered health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information. Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.”

More details on the provision of telehealth services during the COVID-19 public health emergency is available from OCR on this link.


About James Keogh
James Keogh is an experienced journalist specializing in healthcare compliance with a particular focus on cybersecurity. With several years of experience in the field, he has developed a deep understanding of the challenges and developments related to protecting patient data and ensuring regulatory compliance in the healthcare sector. James is on Twitter https://x.com/JamesKeoghHIPAA and LinkedIn https://www.linkedin.com/in/james-keogh-89023681