HHS Reminds Covered Entities of HIPAA Data Sharing Provisions in Light of Novel Coronavirus Outbreak

The Department of Health and Human Services has issued a bulletin reminding HIPAA covered entities about the ways that patient information can be shared during outbreaks of infectious disease and other emergency situations, in light of the recent Novel Coronavirus (2019-nCoV) outbreak.

In the bulletin, the HHS confirms that in such situations, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).

Under the HIPAA Privacy Rule, covered entities are permitted to disclose patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for treatment.

In situations when patients have contracted an infectious disease such as 2019-nCoV, there is a legitimate need for information to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be provided with PHI to allow them to carry out their public health missions. In such cases, the HIPAA Privacy Rule allows covered entities to share PHI with those entities and individual authorizations are not required.

That includes sharing information with the Centers for Disease Control and Prevention (CDC) and state and health departments authorized by law to receive such information to prevent or control disease and injury. Directed by a public health authority, PHI may also be shared with foreign government agencies that are working with public health authorities. Information can also be shared with individuals believed to be at risk of contracting or spreading disease, if other law, such as state law authorizes the covered entity to notify such persons to help prevent the spread of disease or to carry out public health investigations.

Information can also be shared with friends, family members, and other individuals involved in the care of a patient, including sharing information about a patient, as necessary, to identify, locate, and notify family members, guardians, and others responsible for the patient’s care, of the patient’s location, general condition, or death.

In such cases, verbal permission should be obtained from the patient or it can be reasonably inferred that the patient does not object. If a patient is incapacitated, then professional judgement should be used as to whether the sharing of information is in the patient’s best interest.

Patient information may also be shared to prevent or lessen a serious or imminent threat to the health and safety of a person or the public, consistent with applicable laws. Generally speaking, providing specific information about an identifiable patient to the media or public at large is not permitted.

All permitted disclosures of patient information are subject to the minimum necessary rule. Shared information should be limited to the minimum necessary amount to accomplish the purpose for which information is disclosed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.