In light of the COVID-19 outbreak, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) ensures that HIPAA-covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.
Background
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.
HIPAA and Public Health
The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization:
To a public health authority, such as the CDC or a state or local health department, like Tulsa Health Department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).
Disclosure
Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification: In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions for the patient). See 45 CFR 164.508 for the requirements for a HIPAA authorization. Where a patient has not objected to or restricted the release of protected health information, a covered hospital or other health care facility may, upon request, disclose information about a particular patient by name, may release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). Covered entities may also disclose information if the patient is incapacitated, and if the disclosure is believed to be in the best interest of the patient and consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a).
For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose. In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties. See 45 CFR §§ 164.502(b), 164.514(d).
