Because No One is Immune to the Law
March 12, 2020 - United States, COVID-19, Healthcare, Privacy + Data Security

OCR Bulletin on HIPAA Privacy and Coronavirus (COVID-19)

Coronavirus: Steps Employers Should Be Taking

In response to the recent outbreak of the novel coronavirus (2019-nCoV or COVID-19) and associated preparation and response, the Department of Health and Human Services Office for Civil Rights (OCR) recently released a bulletin (the “Bulletin”) outlining how entities subject to HIPAA may share patient information under the HIPAA Privacy Rule and other obligations during an outbreak of infectious disease or other emergency situation. In it, OCR emphasizes that the HIPAA Privacy Rule functions to protect the privacy of patients’ protected health information (PHI) and also underscores that the purpose of the Bulletin is partly to serve as a reminder that HIPAA protections should not be set aside during an emergency. OCR also emphasizes that the Privacy Rule applies only to HIPAA-covered entities and their business associates and does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired).    

The Bulletin outlines the following key points within the Privacy Rule that are relevant to sharing patient information in an outbreak of infectious disease or other emergency situation:

Sharing Patient Information

  • Treatment. Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient or to treat a different patient. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at § 164.501.
  • Public Health Activities. The Privacy Rule acknowledges the need for public health authorities to have access to PHI necessary to carry out their duties and so permits covered entities to disclose PHI without individual authorization in the following circumstances:
    • To a public health authority. This would include entities like the Centers for Disease Control (CDC) or state or local health departments authorized by law to receive such information. A “public health authority” is an agency or authority of the U.S. government, a state, territory, political subdivision of a state or territory, or Indian tribe responsible for public health matters, as well as a person or entity acting under grant of authority from, or under a contract with, a public health agency. See 45 CFR §§ 164.501 and 164.512(b)(1)(i).
    • At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority. See 45 CFR § 164.512(b)(1)(i).
    • To a person at risk of contracting or spreading a disease. This is permitted if other law, such as state law, authorizes the covered entity to make such notification as necessary to prevent or control the spread of disease or otherwise carry out public health objectives. See 45 CFR § 164.512(b)(1)(iv).
  • Disclosures to Family, Friends, and Others. Covered entities may share PHI with a patient’s family members, friends, or others identified by the patient as involved in the patient’s care. Covered entities may also share information about a patient as necessary to identify, locate, and notify family members, guardians, or others responsible for the patient’s care about the patient’s condition or location. See 45 CFR § 164.510(b). The Bulletin also highlights the following considerations:
    • The covered entity should attempt to get verbal permission from the patient or otherwise be able to reasonably infer that they do not object. If that is not possible, covered entities may share the information if, in their professional judgment, doing so would be in the patient’s best interest.
    • For patients who are unconscious or incapacitated, a healthcare provider may share information about the patient with those involved in the patient’s care (such as friends or family) if the provider determines, based on professional judgement, that doing so would be in the patient’s best interest.
    • A covered entity may share patient information with disaster relief organizations for the purpose of coordinating notification of family or those involved in a patient’s care of the patient’s condition or location. In this situation, it is unnecessary to obtain the patient’s permission if doing so would interfere with the organization’s ability to respond to the emergency.
  • Disclosures to Prevent a Serious and Imminent Threat. Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with applicable law. See 45 CFR § 164.512(j).
  • Disclosures to the Media or Others Not Involved in the Care of the Patient. Generally, except in the limited circumstances described elsewhere in the Bulletin, reporting to the media or general public about an identifiable patient or disclosing to the public or media specific information about treatment of an identifiable patient may not be done without the patient’s written authorization (or the authorization of a person legally authorized to give it on the patient’s behalf).
  • Minimum Necessary. For most disclosures (other than those to healthcare providers for treatment purposes), a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. Covered entities may reasonably rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose. See 45 CFR §§ 164.502(b) and 164.514(d).

Safeguarding Patient Information

In emergency scenarios, covered entities must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI in addition to continuing to implement reasonable safeguards to protect patient information against impermissible uses or disclosures.

Other Resources

The Bulletin also refers readers to the following additional resources:

More information on HIPAA and Public Health:

More information on HIPAA and Emergency Preparedness, Planning, and Response:

General information on understanding the HIPAA Privacy Rule:

Information regarding how Federal civil rights laws apply in an emergency:

For further information about Coronavirus preparedness please also visit the Morrison & Foerster Coronavirus Resource Center.