Practice Management Alert

HIPAA:

Prioritize Patient Privacy, Even During Emergencies

Bone up on which parts of the HIPAA Privacy Rule apply during a public health emergency.

Patient health privacy matters, even during an epidemic or pandemic. Doctor’s offices, as covered entities (CEs), must abide by the HIPAA Security and Privacy Rules.

“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information,” says Office for Civil Rights (OCR) in a dedicated COVID-19 fact sheet.

With the novel coronavirus dominating the news, the government issued updated guidance on the HIPAA Privacy Rule. The update advises on the best way to thwart the virus while protecting patients’ privacy.

In addition to the declaration, OCR also issued a bulletin offering new insight on the virus, which clarifies people’s rights and protected health information (PHI), as well as the rules that govern CEs during a public health emergency (PHE).

Remember: HIPAA still applies to CEs and their business associates after the feds call a PHE, and both must continue to safeguard patients’ privacy the best they can — whether in the wake of a natural disaster or the grips of disease outbreak.

Check in on These PHI Disclosure Essentials

If a PHE is in place, CEs can disclose patients’ PHI without authorization when it’s “necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” explains the OCR bulletin. Here’s a short checklist and the parts of the HIPAA Privacy Rule where you can find the in-depth explanation, according to OCR guidance:

Treatment: If necessary, a CE can share PHI without authorization to treat the patient or a different patient (45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501).

Public health activities: There are three groups CEs can share PHI with during a PHE without authorization. They include:

1. Public health authorities like the CDC or state or local health departments to prevent or manage disease, injury, or disability (45 CFR §§ 164.501 and 164.512(b)(1)(i)).

2. Foreign governments at the direction of a public health authority, working with the authority (45 CFR 164.512(b) (1)(i)).

3. People at risk of contracting or spreading disease, but only if the state law authorizes the CE to notify such persons to avoid or control the spread of the disease, or otherwise to carry out PHE interventions or investigations (45 CFR 164.512(b)(1)(iv)).

Family and friends: If necessary, a CE can share a patient’s PHI with family, relatives, and friends if they’re part of the patient’s care or need to be located, identified, or notified about location, condition, or death (45 CFR 164.510(b)). Additionally, the CE must get “verbal permission” or “infer” the patient wouldn’t object because it’s in their best interest; the patient is incapacitated or unconscious and the provider uses medical judgment to share the data; or the CE needs to share the PHI with a disaster relief organization like the Red Cross to ensure public safety.

Imminent threat: As long as state laws and ethics are observed, providers may share PHI to avoid or diminish dangers and imminent threats (45 CFR 164.512(j)).

Although HIPAA permits disclosures of PHI without patient authorization for public health activities and emergencies, you “cannot disregard a patient’s right to privacy in those cases where a patient’s information has been the subject of a public health report,” cautions attorney Laurie Cohen of Nixon Peabody LLP in Albany, New York in a blog posting.

Resource: See more OCR insight on the virus and HIPAA at www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.