Overview of the new DHSS decision tool
The Department of Health and Human Services (DHHS) has introduced a decision tool to help healthcare providers decide how the HIPAA privacy rule applies to the health providers The tool helps providers understand when protected health information (PHI) can be disclosed based on the following criteria:
- The source of the information
- Who the intended recipient of the information is
- The purpose of the PHI
Health providers can also speak with experienced HIPAA compliance lawyers to discuss their questions and concerns with regard to HIPAA and other compliance issues during the COVID-19 emergency crisis.
HIPAA privacy guidelines for emergencies
The Health Insurance Portability and Accountability Act of 1996 includes guidelines for emergency situations such as the COVID 19 virus. A main concern of the current virus is that the elderly and people with disabilities or pre-existing health conditions that may weaken their immune systems are most at risk.
HIPAA generally protects everyone’s health information records (the records that can be identified) when that information is held by “covered entities.” The rule is aimed at protecting the personal health records of patients. Many patients don’t want people, other than those who need to know their information, to have access to their identity or to their private health record of illnesses, doctor visits, and other related health information.
You think you’ve got HIPAA compliance handled, in order to try to stay ahead of steep federal penalties, and then learn that is just the beginning of the story. HIPAA compliance itself is thorny. […]
The decision tool helps the covered entities by presenting questions and then, depending on the response, an answer or a better idea as to whether the PHI can be disclosed. The HIPAA guidelines are aimed at balancing the patient’s right to privacy with risky or dangerous public health information – that could affect health professionals, law enforcement, first responders, and others.
All health providers, especially those who are providing emergency healthcare or assistance during the COVID-19 pandemic should understand how the decision tool works. Health providers should also review the decision tool and HIPAA compliance during this emergency with an experienced HIPAA compliance attorney.
The decision tool doesn’t address “all the uses and disclosures permitted by the Privacy Rule, nor does it discuss all of the Rule’s requirements.” The tool also doesn’t address other federal, state, or local laws for confidentiality.
The DHHS decision tool questions
The tool generally asks the following questions:
“Who is the source of the information to be disclosed?
“To whom is the information being disclosed?”
- Public Health Authority
- A healthcare provider for treatment
- Other agency for public health purposes
- Other person(s) / agency
1. Is the source of the PHI information a Covered Entity?
The first question the decision tools asks is who the source of the information is. The source is a covered entity if the source is:
- A health plan. A health plan is a personal or group plan that “provides, or pays the cost of, medical care.” Health plans include health insurers, HMOs, Medicare, Medicaid, and the Veterans Health Administration.
- A healthcare provider. Healthcare providers generally include hospitals, physicians, and clinics – if the providers send health information in electronic from “in connection with a transaction for which a HIPAA standard has been adopted by HHS. (e.g., billing).” The category broadly applies to any healthcare service provider (and anyone/organization associated with that provider) that “furnishes, bills or is paid for healthcare in the normal course of business.”
- A healthcare clearinghouse. Healthcare clearinghouses can be private or public – and may include “a billing service, repricing company, or community health information system, that processes non-standard data or transactions received from another entity into standard transactions or data elements, or vice versa.”
2. What happens if the source of the information is an individual?
The DHHS decision tools states that HIPAA doesn’t apply to individuals – just to covered entities. This means that generally individuals (who don’t work for or are associated with a covered entity) may disclose PHI to anyone without concern the individual is violating the HIPAA privacy requirement. Employees, contractors, board members, and even volunteers who work for a covered entity generally can’t disclose the information, because these people work for a covered entity. Likewise, nurses, medical staff, and hospital employees also cannot disclose protected health information.
For example, consumers and patients can provide the information “directly to anyone without an authorization.”
Disclosures by individuals associated with covered entities may be permissible – only if other parts of the HIPAA compliance requirements are met.
3. What happens if the information source isn’t a Covered Entity?
If the source is not a covered entity, then the disclosure may be permissible. The HIPAA privacy rule generally applies just to covered entities.
As an example, according to DHHS, the HIPAA privacy rule allows the following entities to disclose health information when the agencies are functioning solely in their respective capacities. Agencies that perform hybrid functions may be required to protect PHI:
- Social service agencies,
- Centers for Independent Living
- Paratransit authorities
- Protection & Advocacy Organizations
- Public agencies that perform public health activities
Additional DHHS examples include social service agencies (provided the agency is not a Covered Entity) that keep a list of the names, address, and limitations for persons with disabilities – may be able to disclose that information to businesses that transport people with disabilities. The American Red cross can, DHHS states, also disclose PHI.
Hybrid entities, are entities that have “multiple roles and responsibilities.”
Hybrid entities include public agencies that have “covered entity” roles such as a health plan or a health provider – but also provide different functions such as public health.
“These agencies may choose to be hybrid entities, so that the information held by the non-covered component would not be subject to the Privacy Rule.”
“Special provisions apply; basically, the covered component (provider, health plan) must limit information shared with the rest of the organization the same way that it limits disclosures to other entities.”
4. Is the Recipient a Public Health Authority
The next part of the DHHS decision tool asks (if the source of the PHI is covered by HIPAA) whether the PHI recipient is a public health authority.
A public health agency is defined as:
“an agency or authority of the United States Government, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, that is responsible for public health matters as a part of is official mandate, or a person or entity acting under a grant of authority from or contract with such agency.”
Examples of public health agencies include:
- “Local health departments
- State public health agencies
- State health departments
- State cancer registries
- State vital statistics departments
- Tribal health agencies
- Federal public health agencies
- Food and Drug Administration (FDA)
- Centers for Disease Control and Prevention (CDC)
- Occupational Safety Health Administration (OSHA)”
“Covered entities may disclose certain protected health information (PHI) to appropriate public health authorities for such activities. (PHA)”
- If yes – the recipient of the PHI is a public health authority, then the decision tool asks another question – “Is the public health authority authorized by law to collect or receive the information?”
- If yes – the PHA is authorized by law, then “the covered entity may disclose the information that is reasonably necessary!”
- If no – “the public health authority is not authorized by law to collect or receive the information for public health purposes,” there still may be some limited circumstances in which the disclosure can be made. Click here for other permitted disclosures.
- If no – “the recipient of the information is not a public health authority” there still may be some limited circumstances in which the disclosure can be made. Click here for other permitted disclosures.
DHHS adds that a covered entity may disclose protected health information to a PHA for “public health activities and purposes” provided the PHA “is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including the conduct of public health interventions.”
Disclosures may also be permissible to a PHA if there is a statute, regulation, or other legal authority that requires that the PHA receive the information. The PHA should be able to give the covered entity a “statement describing its legal authority to receive the information and conduct the public health activity.” For examples, hospitals may report health data to the CDC, “consistent with the Privacy Rule.”
5. Disclosure to Healthcare Provider for Treatment Purposes
The decision tool next states that: “Covered entities may disclose PHI to healthcare providers for treatment purposes!” For example, a health provider (physician) may disclose protected health information to a healthcare provider for treatment to ensure continuity of care. In the case of emergencies, such as COVID 19, “A group home may disclose PHI to another healthcare facility to which the individuals will be evacuated in an emergency.”
Generally, the DHHS states: “The minimum necessary standard does not apply for this decision point – but if a covered entity discloses PHI to a third party (where the third party is not a healthcare provider for treatment purpose,” – then the minimum necessary test must be met.
6. Disclosure to an Agency for Public Health Purposes
If the disclosure by the covered entity is to an agency for public health purposes, the DHHS cautions that that disclosure may be made if:
- It is made with the individual’s authorization
- Or in a specific exception called a “limited data set,” where certain specific conditions apply. An example is where a doctor discloses information that an elderly patient requires a wheelchair – if there is an agreement that “specifies age, gender, and limitations.”
7. Disclosure to Other Person or Agency
Disclosures may also be allowed under this scenario – if there is a signed authorization.
8. Additional decision tool questions
The new decision tools also provides guidance on whether the individual consumer has signed an authorization (yes – or- no) permitting the disclosure and which disclosures are subject to the minimum necessary standard.
The Office of Civil rights’ new decision tool helps health providers understand when disclosures of protected health information may be permissible during the country’s efforts to manage the COVID-19 public health emergency. The tool is a guide that requires the health provider answer a variety of questions based on the source of the information and who the information may be disclosed to.
Contact the Cohen Healthcare Law Group for legal counsel on the new HIPAA requirements for Security, Privacy, and Breach compliance during the novel coronavirus pandemic. Our experienced healthcare & HIPAA lawyers advise health providers and health businesses on a variety of health compliance issues at the federal and state levels.