Permissible HIPAA Disclosures During COVID-19
The Office of Civil Rights at the U.S. Department of Health and Human Services (“OCR”) recently published guidance on permissible disclosures of protected health information (“PHI”) for individuals who have been infected or exposed to COVID-19.
Covered entities may disclose PHI of individuals who have been infected or exposed to COVID-19 to law enforcement, first responders, and public health authorities without the individual’s authorization in the following circumstances:
- When providing treatment to the individual who has COVID-19;
- When required by law;
- When notifying a public health authority to prevent or control the spread of COVID-19;
- When first responders may be at risk of infection;
- When the disclosure to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public; and
- When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual in certain circumstances.
These disclosures ensure first responders have access to real time infection information to help keep them and the public safe during the public health emergency. The permitted disclosures do not alleviate the requirement to comply with the minimum necessary standard when sharing information. Covered entities must make reasonable efforts to limit disclosures to the minimum amount of information to meet the intended purpose. PHI that is not relevant, exceeds the amount requested, or is not needed to accomplish the purpose of the contemplated use or disclosure should not be disclosed.
OCR also announced that it would not impose penalties against business associates for violations of certain provisions of the HIPAA Privacy Rule during the public health emergency. Federal and state health authorities, health oversight agencies, health departments, and emergency operation centers have requested PHI from certain business associates or have requested that the business associates perform data analytics to ensure the health and safety of the public. However, business associates have not timely participated in these activities due to their business associate agreements and the lack of any explicit term permitting such use or disclosure. Effective as of April 2, OCR will exercise its enforcement discretion and will not subject business associates or covered entities to penalties for making disclosures when: (i) the business associate makes a good faith use or disclosure of PHI for qualified public health activities or health oversight activities; and (ii) the business associate informs the covered entity of the use or disclosure within ten calendar days.
How Frier Levitt Can Help
This notice of discretionary enforcement, similar to OCR’s recent notice of discretion regarding telemedicine, only applies to the Privacy Rule. Covered entities and their business associates must still comply with all other applicable HIPAA requirements. For additional guidance or a compliance review of your practice’s HIPAA policies and procedures, contact Frier Levitt.