The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) issued a Bulletin on sharing and protecting patients’ protected health information (“PHI”) in compliance with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) during the COVID-19 national emergency. The Bulletin emphasizes that the HIPAA Privacy Rule is still in effect during this national emergency, but that HIPAA-covered entities may use or disclose patients’ PHI when necessary to treat a patient, to protect the nation’s public health and for other critical purposes.

Application of the Privacy Rule

The Privacy Rule applies only to HIPAA-covered entities and business associates, and does not apply to disclosures made by businesses that do not fall into one of these categories. Covered entities include health plans, health care clearinghouses and health care providers that conduct one or more health care transactions electronically (e.g., submitting claims to a health plan). Business associates perform functions or activities on behalf of, or provide services to, a covered entity, that involve the creation, receipt, maintenance or transmission of PHI.

Disclosures of PHI

Under the Privacy Rule, covered entities may disclose patient PHI in the following circumstances:

  • Treatment: Covered entities may disclose a patient’s PHI without the patient’s authorization when necessary to treat the patient or to treat a different patient (e.g., coordination of health care among health care providers, consultation between providers and patient referral).
  • Public Health Activities: For public health purposes, a covered entity may disclose a patient’s PHI without the patient’s authorization:
    • To a public health authority (e.g., CDC) for the purpose of preventing or controlling disease, injury or disability (e.g., reporting of disease or injury; reporting vital events such as births or deaths; conducting public health surveillance, investigations or interventions). In the context of COVID-19, for example, a covered entity could disclose to the CDC the PHI of patients exposed to, or suspected or confirmed to be diagnosed with, the virus.
    • At the direction of a public health authority, to a foreign government agency acting in collaboration with the public health authority.
    • To persons at risk of contracting or spreading a disease, if other law (e.g., state law) authorizes the covered entity to make such disclosures to prevent or control the spread of the disease or for other sanctioned public health reasons.
  • Friends, Family and Others Involved in the Patient’s Care:  A covered entity may share a patient’s PHI with the patient’s family members, relatives, friends or others identified by the patient, when such information is directly relevant to the person’s involvement in the patient’s care. Covered entities also may share information about a patient as necessary to identify, locate, and notify family members, guardians or anyone else responsible for the patient’s care, of the patient’s location, general condition or death. Where necessary to notify family members and others, a covered entity may notify the police, the press or the public at large.
    • Patient permission: When possible, a covered entity should obtain a patient’s verbal permission or otherwise be able to reasonably infer that the patient does not object to such disclosures of his or her PHI. For unconscious or incapacitated patients, a covered entity may share a patient’s PHI for these purposes if doing so is in the patient’s best interest.
    • Disaster relief organizations: Covered entities also may share a patient’s PHI with disaster relief organizations (e.g., the American Red Cross) for the purpose of notifying persons responsible for the patient’s care of the patient’s location, general condition or death. A covered entity need not obtain a patient’s permission to share his or her PHI if doing so would interfere with the organization’s ability to respond to the emergency.
  • Prevention of a Serious and Imminent Threat: In the event of a serious and imminent threat to the health and safety of a person or the public, a covered entity may share a patient’s PHI with anyone as necessary to prevent such threat, without the patient’s permission. Such disclosures must be consistent with applicable law (e.g., state statutes, regulations and case law) and the covered entity’s standards of ethical conduct.
  • Media: In general, a covered entity may not disclose a patient’s PHI to the media or to the public at large without the patient’s written authorization. If a patient has not objected to or restricted the release of his or her PHI, a covered hospital or health care facility may, upon request, release limited facility directory information to acknowledge the individual is a patient, and provide basic information about the patient’s condition in general terms (e.g., critical, stable, deceased, or treated and released). If the patient is incapacitated, the covered entity may release such information if it believes the disclosure would be in the best interest of the patient and is consistent with the patient’s prior expressed preferences.

Minimum Necessary

For most disclosures (excluding disclosures to health care providers involved in the care of a patient), a covered entity must make reasonable efforts to disclose only the “minimum necessary” amount of the patient’s PHI to accomplish the stated purpose. A covered entity may rely on the representations of public health authorities that the requested information is the minimum necessary, when reasonable under the circumstances. In the context of COVID-19, a covered entity may rely on the CDC’s representations that PHI requested about all patients exposed to, or suspected or confirmed to have, the virus is the minimum necessary for the public health purpose. In addition, the Bulletin advises covered entities to continue to limit access to PHI to only workforce members who need it to carry out their duties.

Safeguarding PHI

During an emergency, covered entities must continue to implement reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. Covered entities (and their business associates) must also comply with the HIPAA Security Rule by implementing administrative, physical and technical safeguards to protect electronic PHI.

Read the full OCR Bulletin.