March 17, 2020 - Scott R. Landau

AEL Addresses Common Questions Regarding HIPAA Compliance Amidst the Global Pandemic

Amidst the damage and disruption COVID-19 is causing, businesses and individuals have many questions about HIPAA – – and specifically, about what health information they can share (and how) without express patient authorization. Below are some FAQs that we have assembled regarding HIPAA to help guide providers and employers during these extraordinary circumstances.

What is HIPAA?

Short for the Health Insurance Portability and Accountability Act, HIPAA was signed into law in 1996 by President Bill Clinton. HIPAA primarily concerns the privacy and security of patient health information, and requires healthcare organizations to implement controls to keep patients’ medical information safe.

Who does HIPAA apply to?

HIPAA applies to “covered entities” as well as their “business associates.” “Covered Entities” include healthcare providers (such as doctors, dentists, vision clinics, hospitals, and related health caregivers), health plans, and healthcare clearinghouses. “Business associates” are persons or entities, other than a member of the workforce of a “covered entity,” who perform functions or activities on behalf of, or provides certain services to, a HIPAA Covered Entity that involve access by the business associate to protected health information.

What are the HIPAA Privacy and Security Rules?

The HIPAA “privacy rule” establishes standards for protecting patients’ medical records and other “protected health information” (PHI), and restricts the uses and disclosures of PHI by covered entities and their business associates, absent patient authorization (i.e. “permission”), to treatment, payment, and healthcare operations purposes (sometimes called “TPO”).

The HIPAA “security rule” requires covered entities and their business associates to protect patients’ electronically stored protected health information (known as “ePHI”) by using appropriate administrative, physical, and technical “safeguards”, to ensure the confidentiality, integrity, and security of this information.

Must my company comply with the HIPAA Privacy Rule if it is not a Covered Entity or Business Associate?

Technically, no. The HIPAA Privacy Rule only applies to Covered Entities and their Business Associates, and thus, only restricts uses and disclosures of individuals’ health information by employees, volunteers, and other members of a covered entity or business associate’s workforce. Though there have been past situations where the government prosecuted non-Covered Entities/non-Business Associates for improper commercial uses of PHI, given the current emergent circumstances, we do not believe that a non-Covered Entity or non-Business Associates’ use or dissemination of PHI would result in such actions unless such use or dissemination were otherwise criminal or malevolent.

If HIPAA does not apply to my company, can we share and disseminate our employees’ or customers’ health data without their permission?

Not necessarily. While the HIPAA Privacy rule restrictions on use and dissemination of PHI may not apply to your company if it is not a “covered entity” or “business associate,” other federal and state confidentiality rules, as well as contractual obligations, may still restrict your ability to use or disseminate such information without permission. We encourage you to tread carefully before using or sharing individuals’ health information, even if HIPAA does not apply to you or your company, and to consult with counsel if you have any questions or concerns.

Can healthcare providers communicate with patients or perform “telehealth” services through everyday communications technologies (such as Skype or FaceTime) during the COVID-19 crisis?

Yes. On March 17, 2020, the Office for Civil Rights at HHS announced that, effective immediately, it would exercise “enforcement discretion” and waive penalties for HIPAA violations against health care providers that communicate with patients and provide telehealth services in “good faith” through “everyday” communications technologies such as Skype, Google Hangouts, Facebook Messenger, and FaceTime (which are not fully HIPAA-compliant and cannot ordinarily be used for telehealth services) during the COVID-19 national emergency. Importantly, this waiver applies to telehealth provided for any reason, not just services related to the diagnosis or treatment of health conditions related to COVID-19.

Do HIPAA and the Privacy and Security Rules still apply during a public health emergency such as the COVID-19 outbreak?

Yes, the HIPAA Privacy and Security rules still apply during a disease outbreak, including the COVID-19 pandemic, except as specifically exempted or waived by HHS (such as for telehealth services via “everyday” communications technologies as described above). That said, the HIPAA Privacy Rule always allows PHI to be shared for the following purposes and under the following conditions, which are particularly relevant now:

Treatment Purposes: A patient’s PHI can be disclosed without patient authorization to treat that patient or to treat a different patient. Treatment includes the coordination or management of health care and related services by health care providers, consultation between providers, and the referral of patients for treatment. See 45 C.F.R. § 164.502(a)(1)(ii), 164.506(c).

Public Health Activities: During public health emergencies like the COVID-19 outbreak, PHI can be shared without patient authorization with: (1) public health authorities such as the CDC and state and local health departments; (2) at the direction of a public health authority, to a foreign government agency; and (3) to persons at risk of contradicting or spreading the disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or to carry out public health interventions.

Disclosures to Prevent Serious and Imminent Threats: Covered entities may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with all applicable laws and standards of ethical conduct. Thus, providers may disclose patient PHI to anyone in a position to prevent or lessen a serious and imminent threat, including family, friends, caregivers, and law enforcement, without patient authorization.

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and For Notification: A covered entity may, with verbal consent if possible, share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 C.F.R. § 164.510(b).

What specific PHI can be disclosed in these emergency situations?

Other than disclosures made by healthcare providers for the purpose of providing treatment, HIPAA’s “minimum necessary” standard applies for disclosures of PHI. The “minimum necessary” standard requires covered entities and business associates to make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. Covered entities may rely on representations from a public health authority or other official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, if the CDC requests from a hospital information about all patients exposed to or suspected to be exposed to COVID-19, a covered entity can safety conclude that the requested information is the “minimum necessary” for public health purposes.

How does the President’s recent declaration of a “state of emergency” impact our HIPAA Obligations?

Following President Trump’s March 13, 2020 declaration of a nationwide emergency concerning COVID-19, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar exercised his authority to “waive” sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

The requirement to obtain a patient’s (verbal) agreement to speak with family members or friends involved in the patient’s care. See 45 C.F.R. 164.510(b).  The requirement to honor a request to opt out of the facility directory (see 45 C.F.R § 164.510(a)).

The requirement to distribute a notice of privacy practices (see 45 C.F.R. § 164.522(a)).

Patients’ rights to request confidential communications (see 45 C.F.R. § 164.522(b).

Please note that these waivers only apply: (1) in the emergency areas identified in the public health emergency declaration (which would include all of the NYC Metropolitan area); (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours after the disaster protocols are implemented. Once those 72 hours expire, hospitals must then again comply with all of the requirements of the Privacy Rule for any patients still under their care.