COVID-19 HIPAA Compliance Requirements

The COVID-19 virus is affecting every aspect of our personal and professional lives. Nowhere is that impact being felt more than in the medical sector where doctors and other health providers are on the front lines of providing medical care.

The Department of Health and Human Services is changing some of its rules and regulations to help healthcare providers provide the care that patients need while still requiring physicians to comply with the basic requirements of existing laws such as the Health Insurance Portability and Accountability Act of 1996, commonly called HIPAA. HIPAA was amended by the Health Information Technology for Economic and Clinical Health Act (HITECH). The main rules health providers need to comply with are the HIPAA Security, Privacy, and Breach requirements.

HIPAA was designed to prevent unauthorized and improper use and disclosure of protected health information (PHI). The rule was crafted to balance the rights of patients to protect the privacy of their health records with the need for some health-related communications to continue.

DHHS has enacted new rules to help balance existing HIPAA compliance requirements with the need to respond to the outbreak of the coronavirus.

Normally, entities and people subject to these rules are required to secure (through technical, administrative, and other procedures) each patient’s PHI. This protection generally includes the good practice of encrypting PHI. Health providers, normally, would prioritize the storing and transmission of electronic public health information. The COVID-19 emergency is not a normal time – which is why OCR has provided new HIPAA guidance during the pandemic.

Overview of the new HIPAA rules

The director of the DHHS Office of Civil Rights stated that the new guidance rules during this emergency empower health providers to serve patients wherever help is needed – and especially those patients most at risk such as seniors and people with disabilities.

HIPAA, Civil Rights, and COVID-19

The new guidelines explain when and how protected health information (PHI) can be disclosed to first responders, paramedics, public health authorities, and law enforcement.

HIPAA will permit an entity covered by the law to share a patient’s name and identifying information – if the patient is “infected with, or exposed to, the virus SARS-CoV-2, or the disease caused by the virus, Coronavirus Disease 2019 (COVID-19),” – without the need for the patient’s authorization in the following situations:

• Emergency medical transport. The disclosure is necessary to provide the appropriate medical treatments. As an example, according to DHHS, HIPAA now allows a skilled nursing facility covered by HIPAA to disclose PHI about someone with COVID-19 to emergency medical providers who will provide medical care while taking the person to the ER department of a local emergency room. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(2)
• When notification that the patient has COVID-19 is required by law. HIPAA does permit a hospital, or other covered entity, to disclose the PHI of a person who has the new coronavirus to public health officials – when the hospital or entity is required to make the disclosure according to state law – if the patient is suspected of having an infectious disease or is confirmed to have an infectious disease. 45 CFR 164.512(a).
• To prevent or control the disease from spreading. HIPAA does permit disclosures of PHI to public health authorities authorized to obtain the PHI, such as:
  • The Centers for Disease Control and Prevention (CDC)
  • State, local, tribal, or territorial public health departments

When the purpose for receiving such PHI is to prevent or control “disease, injury, or disability” or for “public health surveillance, public health investigations, and public health interventions.” 45 CFR 164.512(b)(1)(i);

• If first responders are in danger of being infected. Entities covered by HIPAA can also release PHI to first responders if the responder may have had a COVID—19 exposure or may be otherwise in danger of either obtaining or spreading the virus – when the covered entity must make the disclosure according to state law (or other law) to “to notify persons as necessary in the conduct of a public health intervention or investigation.”
  • As an example, under HIPAA, a county health department covered by HIPAA and pursuant to state law – can disclose PHI to a law enforcement officer or anyone who “may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.” 45 CFR 164.512(b)(1)(iv).
• When the PHI release of information to first responders is required to prevent or reduce a severe and imminent health and safety threat to someone or to the public. The entity, covered by HIPAA, can disclose the protected health information to someone or the public in order to lessen the threat – if the entity thinks the person who received the information can “prevent or lessen the threat” – including the target of the threat.
  • As an example, HIPAA gives a covered entity (based on the relevant law and ethical conduct standards) the right to disclose the PHI “about individuals who have tested positive for COVID-19 to:
    • Fire department personnel
    • Child welfare workers
    • Mental health crisis services personnel
    • Others charged with protecting the health or safety of the public”

The disclosure is provided that entity thinks, in good faith, that disclosing the PHI is needed “to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.” 45 CFR 164.512(j)(1).

• Criminal justice requests. When a correctional institution or official from law enforcement asks for the PHI from a covered entity – provided the institution/official has lawful custody of an individual or inmate – and if the institution or law official states that the PHI is needed for one of the following reasons.
  • To give the person in custody healthcare
  • For the safety and health of the person in custody, officers, other prisoners, employees and any else located at the correctional facility – and for the safety and health of anyone responsible for moving the prisoners
  • For any law enforcement officials at the correctional facility
  • For the correctional facility’s “administration and maintenance of the safety, security, and good order”

As an example, HIPAA allows a covered doctor who is at the medical facility of the correctional institution to inform correctional guards that an inmate has COVID-19 for the safety of the guards and everyone else at the facility. 45 CFR 164.512(k)(5).

• General Considerations. Entities covered by HIPAA (unless there’s a legal exception) “must make reasonable efforts to limit the information used or disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose for the disclosure.” 45 CFR 164.502(b).

More examples of when the HIPAA privacy of PHI rule may allow for disclosure of protected health information by a covered entity

Some disclosures may be allowed based on just one HIPAA provision. Other disclosures may be allowed based on multiple provisions.

A few more examples of when HIPAA covered entities can disclose COVID-19 PHI include the following:

• Hospital disclosure of a list of names/addresses of people the hospital knows tested positive or received treatment for COVID-19 to an emergency medical service dispatch –  “on a per-call basis.” Based on the HIPAA guidance rules from DHHS, the “EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that the EMS personnel can take extra precautions or use personal protective equipment (PPE).”

In this situation, the covered entity should NOT post the list publicly (such as to a website or through any media distribution). The entity covered by HIPAA should also avoid distributing aggregate lists of individuals to EMS personnel. Only the information of the individuals, on a per-call basis, should be disclosed. Sharing the lists publicly or sharing aggregate lists – wouldn’t be the “minimum” necessary to fulfil the goal of the disclosure – which is protecting first responders from the risk of infectious disease – for each call they make.

• 911 call centers. 911 call centers can screen callers by asking the callers COVID 19 related symptom questions such as what their temperature is, if the caller has a cough, or if the caller is short of breath. If the 911 call center is covered by HIPAA, the call center is allowed to inform a law enforcement official being sent to a location – the “name, address, and screening results of the persons who may be encountered so that the officer can take extra precautions or use PPE to lessen the officer’s risk of exposure to COVID-19, even if the subject of the dispatch is for a non-medical situation.”

In this case, the 911 call center should only divulge the minimum amount of information the law enforcement official must have to take proper safety measures to minimize his/her danger of exposure. The minimum information, for example, may include the name of the person and his/her screening result.

The entities covered by HIPAA should review state and local laws with an experienced HIPAA compliance attorney. The Department of Health and Human Services has other related guideline posts including:

• Information about disclosures of PHI to law enforcement officials
• Information about uses and disclosures of PHI for public health
• Disclosures of PHI to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities – PDF

Key definitions

There are three main types of covered entities:

• Healthcare providers. Healthcare providers include doctors, psychologists, clinics, chiropractors, dentists, nursing homes, and pharmacies – “but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.”
• Health plans. Health plans include health insurance companies, HMOs, company health plans, and certain government programs such as Medicare and Medicaid, and the programs for the military and for veterans.
• Health clearinghouses. Health clearinghouses include “entities that process nonstandard health information the entities receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.”

A public health authority is a US agency or authority, a state, a territory, a state subdivision, a territory subdivision, an Indian tribe, or “a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority,” – where that entity is responsible for issues of public health as part of its legal requirements. 45 CFR 164.501

The examples are illustrative. Not every 911 call center, for example, is a covered HIPAA entity that must comply with HIPAA rules.

OCR has enacted new rules that should help health providers comply with HIPAA while protecting the safety of the public. The rules provide for the disclosure of public health information to first responders, emergency medical services, law enforcement, and others to help those who are coming into contact with people who have the COVID-19 virus take necessary precautions before helping those who are afflicted.

Contact the Cohen Healthcare Law Group for legal counsel on the new HIPAA rules for the COVID-19 outbreak. Our experienced healthcare and HIPAA attorneys can explain how OCR and other agencies are trying to help health professionals care for the public while protecting themselves and the rest of the public.