The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued a Bulletin on sharing and protecting patients’ protected health information (“PHI”) in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) during the COVID-19 national emergency. The Bulletin emphasizes that the HIPAA Privacy Rule is still in effect during this national emergency, but that HIPAA-covered entities may use or disclose patients’ PHI when necessary to treat a patient, to protect the nation’s public health and for other critical purposes.
Application of the Privacy Rule
The Privacy Rule applies only to HIPAA-covered entities and business associates, and does not apply to disclosures made by businesses that do not fall into one of these categories. Covered entities include health plans, health care clearinghouses and health care providers that conduct one or more health care transactions electronically (e.g., submitting claims to a health plan). Business associates perform functions or activities on behalf of, or provide services to, a covered entity, that involve the creation, receipt, maintenance or transmission of PHI.
Disclosures of PHI
Under the Privacy Rule, covered entities may disclose patient PHI in the following circumstances:
- Treatment: Covered entities may disclose a patient’s PHI without the patient’s authorization when necessary to treat the patient or to treat a different patient (e.g., coordination of health care among health care providers, consultation between providers and patient referral).
- Public Health Activities: For public health purposes, a covered entity may disclose a patient’s PHI without the patient’s authorization:
- To a public health authority (e.g., CDC) for the purpose of preventing or controlling disease, injury or disability (e.g., reporting of disease or injury; reporting vital events such as births or deaths; conducting public health surveillance, investigations or interventions). In the context of COVID-19, for example, a covered entity could disclose to the CDC the PHI of patients exposed to, or suspected or confirmed to be diagnosed with, the virus.
- At the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority.
- To persons at risk of contracting or spreading a disease, if other law (e.g., state law) authorizes the covered entity to make such disclosures to prevent or control the spread of the disease or for other sanctioned public health reasons.
- Friends, Family and Others Involved in the Patient’s Care: A covered entity may share a patient’s PHI with the patient’s family members, relatives, friends or others identified by the patient, when such information is directly relevant to the person’s involvement in the patient’s care. Covered entities also may share information about a patient as necessary to identify, locate, and notify family members, guardians or anyone else responsible for the patient’s care, of the patient’s location, general condition or death. Where necessary to notify family members and others, a covered entity may notify the police, the press or the public at large.
- Patient permission: When possible, a covered entity should obtain a patient’s verbal permission or otherwise be able to reasonably infer that the patient does not object to such disclosures of his or her PHI. For unconscious or incapacitated patients, a covered entity may share a patient’s PHI for these purposes if doing so is in the patient’s best interest.
- Disaster relief organizations: Covered entities also may share a patient’s PHI with disaster relief organizations (e.g., the American Red Cross) for the purpose of notifying persons responsible for the patient’s care of the patient’s location, general condition or death. A covered entity need not obtain a patient’s permission to share his or her PHI if doing so would interfere with the organization’s ability to respond to the emergency.
- Prevention of a Serious and Imminent Threat: In the event of a serious and imminent threat to the health and safety of a person or the public, a covered entity may share a patient’s PHI with anyone as necessary to prevent such threat, without the patient’s permission. Such disclosures must be consistent with applicable law (e.g., state statutes, regulations and case law) and the covered entity’s standards of ethical conduct.
- Media: In general, a covered entity may not disclose a patient’s PHI to the media or to the public at large without the patient’s written authorization. If a patient has not objected to or restricted the release of his or her PHI, a covered hospital or health care facility may, upon request, release limited facility directory information to acknowledge the individual is a patient, and provide basic information about the patient’s condition in general terms (e.g., critical, stable, deceased, or treated and released). If the patient is incapacitated, the covered entity may release such information if it believes the disclosure would be in the best interest of the patient and is consistent with the patient’s prior expressed preferences.
Minimum Necessary
For most disclosures (excluding disclosures to health care providers involved in the care of a patient), a covered entity must make reasonable efforts to disclose only the “minimum necessary” amount of the patient’s PHI to accomplish the stated purpose. A covered entity may rely on the representations of public health authorities that the requested information is the minimum necessary, when reasonable under the circumstances. In the context of COVID-19, a covered entity may rely on the CDC’s representations that PHI requested about all patients exposed to, or suspected or confirmed to have, the virus is the minimum necessary for the public health purpose. In addition, the Bulletin advises covered entities to continue to limit access to PHI to only workforce members who need it to carry out their duties.
Safeguarding PHI
During an emergency, covered entities must continue to implement reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. Covered entities (and their business associates) must also comply with the HIPAA Security Rule by implementing administrative, physical and technical safeguards to protect electronic PHI.
Read the full OCR Bulletin.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code