In light of the COVID-19 pandemic, many of us may be anxiously following reports on the number of confirmed cases in our area and may be eager to know details about patients tested and diagnosed with the virus. However, during this challenging time, the U.S. Department for Health and Human Services is reminding healthcare facilities, providers, and staff of the importance of continuing to protect patient privacy under HIPAA.1 Although HIPAA generally provides that a covered entity (e.g., healthcare provider) shall not disclose a patient’s protected health information (PHI) without the patient’s written authorization, there are exceptions that apply during times of public health emergencies.
Public Health Activities
The exception for public health activities at 45 CFR § 164.512(b) allows a covered entity to disclose PHI without a patient’s authorization in several circumstances, including the following:
- To a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. This would include the CDC and state or local health departments.
- To a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation. This would include people with whom a patient has been in contact who may have been exposed to the virus.
Disclosures to Caregivers
The exception at 45 CFR § 164.510(b) allows a covered entity to disclose PHI to a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity may also share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary, notification of the family members and others, including the police, the press, or the public at large.
When disclosing PHI to caregivers, a covered entity normally must obtain verbal permission from the patient. However, in light of this public health emergency, HHS has issued a waiver clarifying that hospitals will not be penalized for failing to comply with this requirement (or certain other HIPAA requirements).2 The waiver only applies: (1) in the emergency area identified in the HHS Secretary’s public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
For unconscious or incapacitated patients, a healthcare provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care if the healthcare provider determines, based on professional judgment, that doing so is in the best interests of the patient. For example, a provider may determine that it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally should not share unnecessary information about the patient’s medical history without permission.
Finally, a covered entity may share PHI with disaster relief organizations, such as the American Red Cross, that are authorized to assist in disaster relief efforts for the purpose of coordinating the notification of family members or other persons involved in the patient’s care of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.
Disclosures to Media
Generally, disclosures to the media or the public about an identifiable patient or of specific information about treatment of an identifiable patient (e.g., tests, test results, details of a patient’s illness) may not be done without the patient’s written authorization. However, when a patient has not objected to or restricted the release of PHI, a covered entity may, upon a request to disclose information about a patient asked for by name, release limited facility directory information to acknowledge that a person is a patient of the facility, and the facility may provide basic information about the patient’s condition in general terms (e.g., critical, stable, deceased, treated, and released). Covered entities may also disclose PHI when the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR § 164.510(a).
Healthcare providers must continue to remember that even when disclosure of PHI is permitted, the provider must only disclose the minimum amount necessary to accomplish the purpose. Covered entities are permitted to rely on the representations of public officials (including public health authorities) that the information the public officials seek is the minimum necessary for the purpose. For requests from the media permitted by 45 CFR § 164.510(a), however, the information disclosed must be limited to whether the patient is a patient of the facility and the patient’s general condition.
Because of the curiosity and interest that the public may have in COVID-19 cases, healthcare providers should take care to ensure that all information released is permitted by HIPAA. They should also remember to limit access to PHI internally by providing access only to the employees who need it. DBL’s healthcare team is here to advise you on all your HIPAA and healthcare law related issues.
 Bulletin: HIPAA Privacy and Novel Coronavirus, Office for Civil Rights, U.S. Dep’t of Health and Human Services, (Feb. 2020), https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
 COVID-19 & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Health Emergency, U.S. Dep’t of Health and Human Services (Mar. 2020), https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf
« Back to news