How to Handle HIPAA in Public Health Emergencies

February 6, 2020
What-Qualifies-as-a-Public-Health-Emergency-Blog

Wondering how your practice needs to handle HIPAA privacy when it comes to public health emergencies, like the recent Novel Coronavirus outbreak? Read the OCR’s tips below!

As the Novel Coronavirus (2019-nCoV) outbreak continued to make news, the Office for Civil Rights (OCR) sent a recent bulletin out including additional information for how to handle PHI and how the HIPAA Privacy Rule should be applied with regard to public health emergencies such as this one.

Even in public health emergencies, covered entities (as well as business associates) are still expected to adhere to HIPAA regulations and safeguard the security and privacy of their PHI consistent with HIPAA law.

Here’s a few key takeaways from the OCR bulletin that your organization should remember:

  1. The HIPAA Privacy Rule contains specific mention and direction of public health emergencies and how PHI may permissibly be disclosed in cases where the public health at large is at risk.
  2. Under the Privacy Rule, covered entities may disclose PHI without patient authorization in the interest of public health safety only to:
    • A public health authority, such as the CDC or state/local health department which is authorized to collect and receive information in order to control or prevent the spread of disease.
    • At the direction of an authorized public health authority to a foreign government agency acting in collaboration, such as with the CDC.
    • To individuals at risk of contracting or spreading the disease ONLY if other laws including state laws authorize the covered entity to notify such individuals.
    • Disaster relief organizations, such as the Red Cross, that are authorized to assist in disaster relief efforts for the sole purpose of coordination notifications to family members or other persons involved in the patient’s care.
  3. Providers may also share patient information with anyone as necessary to prevent/lessen a serious threat to the health and safety of the public without patient consent – consistent with applicable law. It’s important to note that HIPAA law and the OCR expressly defer to the health professionals’ judgment about the nature and severity of the threat when making this determination.
  4. In general, providers may NOT disclose patient information to the media or the public at large about a patient without the patient’s written authorization except in very specific circumstances described in HIPAA law. Only if a patient has not objected to the disclosure can statements be made about a patient’s location or basic information about the patient’s condition in general terms. Information may also be disclosed if a patient is incapacitated and if the disclosure is in their best interest and consistent with prior expressed preferences.

As a reminder, all PHI disclosures even in these circumstances should be limited to the minimum information necessary, including continuing to adhere to role-based access for internal employees. If a public health agency such as the CDC requests information, all requested information should be treated as the minimum necessary for the public health purpose.