Despite the ongoing COVID-19 crisis, Covered Entities must continue to comply with HIPAA regulations (notwithstanding the relaxation of prior telehealth regulations; for more information, see “Relaxed Telehealth…”). Generally, the privacy considerations underlying the HIPAA regulations are not suspended in an emergency situation. Rather, a Covered Entity must continue to comply with HIPAA requirements and safeguards, including adherence to the provisions of the HIPAA Security Rule. As such, the following information on the disclosure of PHI is provided as a helpful reference point in light of current events:
Treatment. The Privacy Rule permits Covered Entities to disclose protected health information (PHI) as necessary to treat the subject patient, or to treat a different patient, with or without a patient’s authorization. This includes coordinating health care management and related services amongst health care providers and others (including consultation between providers, and the referral of patients for treatment).
Public Health Activities. The Privacy Rule permits covered entities to disclose needed PHI without individual authorization as follows:
- To a public health authority authorized to collect or receive such information for the purpose of preventing or controlling disease, injury or disability (e.g., such the CDC or a state or local health department). For example, this includes reporting diseases or injury; reporting births or deaths; or conducting public health surveillance, investigations, and interventions. PHI may also be shared at the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
- To persons at risk of contracting or spreading a disease or condition if another law permits the Covered Entity to notify necessary individuals to prevent or control the spread of the disease or otherwise carry out public health interventions or investigations.
Disclosures to Those Involved in an Individual’s Care. A Covered Entity may also share PHI with individuals identified by the patient as involved in the patient’s care (e.g., family members, relatives, friends, or other persons so designated). Before disclosing information to family, friends, or others, the Covered Entity should obtain verbal permission from the patient or otherwise reasonably conclude the patient would not object. If a patient is incapacitated, the Covered Entity can share information so long doing so is in said patient’s best interest.
Disclosures to Disaster Relief Organizations. In addition, a covered entity may share PHI with disaster relief organizations authorized to assist in disaster relief efforts (e.g., the American Red Cross) to notify individuals involved in the patient’s care of the patient’s general condition or death. Here, a Covered Entity need not obtain a patient’s permission to share the information situation if doing so would interfere with the disaster relief organization’s ability to respond to the emergency.
Disclosures to Prevent a Serious and Imminent Threat. Health care providers may share PHI if doing so is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Covered Entities must exercise sound professional judgment in doing so.
Disclosures to the Media and General Public. Subject to applicable exceptions (such as those set forth herein), a Covered Entity may not disclose PHI to a media outlet or to the public at large without the permission of the patient.
Minimum Necessary Standard. When disclosing PHI, a Covered Entity must limit the extent of the information disclosed so as to provide the minimum information necessary to serve the purpose of the disclosure. This minimum necessary standard applies to a Covered Entity’s internal operations: access to PHI should be limited only to those individuals who require the PHI to execute their duties.
NOTE: This general summary of the law should not be used to solve individual problems since slight changes in the fact situation may require a material variance in the applicable legal advice.