Medicare Compliance & Reimbursement

Hint: Review your state’s privacy rule under a PHE.

As the novel coronavirus (COVID-19) continues to wreak havoc on people across the globe, it’s a good idea to revisit your practice privacy policy during emergency situations, natural disasters, or disease outbreaks.

Details: On Jan. 30, Alex Azar, HHS secretary, announced a public health emergency (PHE) in the wake of the COVID-19 outbreak in the U.S. and abroad. HHS and its subsidiaries have been working in tandem to ensure that providers have all the necessary tools to address the spread of the virus, treat their patients, and safeguard the public (see story, p. 25).

In addition to the declaration, the HHS Office for Civil Rights (OCR) also issued a bulletin offering new insight on the virus, which clarifies patients’ rights and protected health information (PHI) as well as the rules that govern covered entities (CEs) during a PHE.

HIPAA still applies to CEs and their business associates after the feds call a PHE, and both must continue to safeguard patients’ privacy the best they can — whether in the wake of a natural disaster or the grips of a disease outbreak like COVID-19.

Reminder: If a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR bulletin.

Review this checklist of when CEs can share PHI without authorization, according to OCR guidance:

Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient.

Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include:

• Public health authorities like the Centers for Disease Control and Prevention (CDC) or state or local health departments to prevent or manage disease, injury, or disability.
• Foreign governments at the direction of a public health authority, working with the authority.
• People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations.

Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re part of the patient’s care or need to be located, identified, or notified about location, condition, or death. Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization like the Red Cross to ensure public safety.

Imminent threat: If state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats.

Although HIPAA permits disclosures of PHI without patient authorization for public health activities and emergencies, you “cannot disregard a patient’s right to privacy in those cases where a patient’s information has been the subject of a public health report,” cautions attorney Laurie Cohen of Nixon Peabody LLP in Albany, New York, in a blog post.

Resource: See more OCR insight on the virus and HIPAA at www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.