February 9, 2020
This month in light of the Novel Coronavirus (2019-nCoV) outbreak, the Department of Health and Human Services (HHS) released a bulletin reminding HIPAA covered entities and their business associates of the ways they may share patient information during an outbreak of infectious disease or other emergency situations.
While the HIPAA Privacy Rule protects the privacy of patients’ health information, it is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.
“The Coronavirus outbreak brings to our attention the benefit of the public sharing of information,” said Ron Bebus, IT consultant for PrivaPlan. “It’s a fine line though. You can’t use this as an excuse for not protecting patient information. At PrivaPlan, we work hard to educate and help our customers protect patient information, but this bulletin is important as it reminds us of the balance between an individual’s right to privacy and the public’s need to know.”
The bulletin covers aspects of sharing patient information, including when it pertains to treatment. Covered entities may disclose, without a patient’s authorization, protected health information (PHI) about the patient as necessary to treat the patient or to treat a different patient.
The Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to PHI that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed PHI without individual authorization:
- To a public health authority, such as the CDC or a state or local health department.
- To a foreign government agency that is acting in collaboration with the public health authority.
- To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
A covered entity may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.
Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law and the provider’s standards of ethical conduct.
In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.
Additionally, covered entities and their business associates must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic PHI.
Need more information? Contact the HIPAA experts at PrivaPlan.