COVID-19

Coronavirus: HIPAA Privacy Rules and the COVID-19 Pandemic

March 26, 2020

By: Brooke Bennett Aziere and Amanda M. Wilwert

Foulston has produced a series of issue alerts as we continue to monitor the evolving COVID-19 situation and provide additional guidance. Please find all updates and our latest resources available here.

As healthcare providers experience escalating inquiries and public demand for information about individuals infected with or exposed to Coronavirus Disease 2019 (“COVID-19”), it is important to remember that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rules still apply. The U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has issued guidance and limited waivers regarding the application of HIPAA and permitted uses and disclosures of protected health information (“PHI”) during this national public health emergency.

Disclosures to Law Enforcement, Paramedics, and Other First Responders

On March 24, 2020, OCR issued guidance on disclosures to first responders. The HIPAA Privacy Rule permits covered entities to disclose the name and other identifying information of an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, and other first responders without the individual’s authorization in the following circumstances:

• When the disclosure is needed to provide treatment;
• When such notification is required by law;
• When first responders may be at risk of infection;
• When the disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public; and
• When responding to a request by a correctional institution or law enforcement official when the individual is in the custody of the institution. 

OCR’s guidance focuses on permissible uses and disclosures of PHI which will allow first responders to take extra precautions or use personal protective equipment in responding to emergency calls. The permissible disclosure of information would include the patient’s symptoms (e.g., fever, cough, respiratory symptoms) which are suggestive of COVID-19. 

As a reminder, except for disclosures that are required by law or disclosures for treatment purposes, healthcare providers are required to make reasonable efforts to limit the information to that which is the “minimum necessary” to accomplish the purpose of the disclosure. This means disclosures to first responders who are at risk of infection or to prevent or lessen a serious and imminent threat to safety must be limited to the minimum necessary amount of information to accomplish the purpose, i.e., reducing the risk. The first responder should not have access to the patient’s entire medical history, but only the information needed to reduce the risk of infection.

OCR’s guidance on disclosures to law enforcement, paramedics, and other first responders can be found here.

Limited Waiver of HIPAA Sanctions and Penalties

On March 15, 2020, HHS Secretary Alex Azar declared a limited HIPAA waiver of sanctions and penalties against hospitals for noncompliance with the following provisions of the HIPAA Privacy Rule:

• The requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
• The requirement to honor a request to opt out of the facility directory;
• The requirement to distribute a notice of privacy practices;
• The patient’s right to request privacy restrictions; and
• The patient’s right to request confidential communications.

This HIPAA waiver only applies in areas covered by a public health emergency declaration, to hospitals that have implemented their disaster protocol, and for a period of up to 72 hours from the time the hospital implements its disaster protocol. 

This HIPAA waiver applies only to hospitals and is intended to relieve some of the burdens associated with paperwork and confidentiality options for patients receiving care in a hospital setting. We recommend hospitals follow all provisions of the Privacy Rule to the extent operations allow during this public health emergency, but if there happens to be a lapse in the distribution of a notice of privacy practices, HHS has indicated sanctions will not be implemented.

Secretary Azar’s bulletin discussing the HIPAA Waiver can be found here.

Permitted Uses and Disclosures of PHI in Emergencies

On February 3, 2020, OCR issued a bulletin regarding the HIPAA Privacy Rule and COVID-19, illustrating the ways patient information may be shared in emergency situations. The HIPAA Privacy Rule permits covered entities to use and disclose PHI without an individual’s authorization under the following circumstances:

• For treatment purposes, such as coordinating and managing care, referrals for treatment, and consultation with other healthcare providers;
• To a public health authority, such as the Centers for Disease Control and Prevention (“CDC”), or a state or local public health department, that is authorized by law to collect or receive PHI to prevent or control the spread of the disease; or
• To family, friends, and others involved in an individual’s care so long as the healthcare provider determines the disclosure is in the best interests of the individual. 

Written patient authorization is required to disclose PHI to the media. However, where a patient has not objected to or restricted the release of PHI in a facility directory, a covered entity may respond to a media request for information about a specific patient with the general condition of the named patient (e.g., undetermined, good, fair, serious, critical, treated and released, treated and transferred, or deceased) and his/her location in the facility.

HHS’ February 3, 2020, bulletin regarding HIPAA privacy requirements and COVID-19 is available here.

For More Information

If you have questions or want more information regarding HIPAA privacy rules during the COVID-19 pandemic, contact your legal counsel. If you do not have regular counsel for such matters, Foulston Siefkin LLP would welcome the opportunity to work with you to meet your specific business needs. Foulston's healthcare lawyers maintain a high level of expertise regarding federal and state regulations affecting the healthcare industry. At the same time, our healthcare practice group's relationship with Foulston's other practice groups, including the taxation, general business, labor and employment, and commercial litigation groups, enhances our ability to consider all of the legal ramifications of any situation or strategy. For more information, contact Brooke Bennett Aziere at 316.291.9768 or baziere@foulston.com or Amanda Wilwert at 913.253.2181 or awilwert@foulston.com. For more information on the firm, please visit our website at www.foulston.com.

Established in 1919, Foulston Siefkin is the largest law firm in Kansas. With offices in Wichita, Kansas City, and Topeka, Foulston provides a full range of legal services to clients in the areas of administrative & regulatory; antitrust & trade regulation; appellate law; banking & financial services; business & corporate; construction; creditors’ rights & bankruptcy; e-commerce; education & public entity; elder law; emerging small business; employee benefits & ERISA; employment & labor; energy; environmental; ERISA litigation; estate planning & probate; family business enterprise; franchise & distribution; government investigations & white collar defense; governmental liability; government relations & public policy; healthcare; immigration; insurance regulatory; intellectual property; litigation & disputes; long-term care; mediation/dispute resolution; mergers & acquisitions; Native American law; oil, gas & minerals; OSHA; privacy & data security; private equity & venture capital; product liability; professional malpractice; real estate; securities & corporate finance; supply chain management; tax exempt organizations; taxation; trade secret & noncompete litigation; water rights; and wind & solar energy.

Health Law Resources

Sign up to receive these issue alerts straight to your inbox here.

This update has been prepared by Foulston Siefkin LLP for informational purposes only. It is not a legal opinion; it does not provide legal advice for any purpose; and it neither creates nor constitutes evidence of an attorney-client relationship