HHS Relaxing Enforcement of HIPAA to Facilitate Sharing of Information During the COVID-19 Crisis

HIPAA—the Health Insurance Portability and Accountability Act of 1996—established a set of national standards to protect the privacy of a person’s physical or mental health or condition, and the health care provided to that individual. In fact, HIPAA’s privacy rules directly address the use and disclosure of a patient’s health information by health care providers, group health plans, and others. But in the shadow of the coronavirus (COVID-19) pandemic, HHS (the U.S. Department of Health and Human Services) has taken steps to ensure that hospitals and health care professionals are shielded from punishment when they share a patient’s coronavirus-related information without that patient’s prior approval, despite applicable HIPAA restrictions. Michelman & Robinson explains.

Q. How has HHS relaxed enforcement of HIPAA’s privacy rules?

A. In light of the recent federal declaration of a nationwide emergency concerning COVID-19, HHS—while maintaining the existing HIPAA privacy rules—is waiving sanctions and penalties against covered hospitals and health care workers for breaking them. This move essentially allows medical providers to:

  • Speak with a patient’s family members or friends involved in the patient’s care without the patient’s consent
  • Forego the requirement to distribute a notice of privacy practices
  • Fail to honor a patient's request for privacy restrictions or confidential communications

Bottom line: HHS has decided that medical professionals will not be penalized for violating some HIPAA privacy rules in their efforts to navigate the COVID-19 outbreak.

Q. Even though HHS may not be enforcing certain regulations in coronavirus cases, what are the existing privacy rules regarding patient information that can be shared under HIPAA?

A. Without a patient’s prior authorization, health care providers are only supposed to disclose health information about the patient as necessary to treat the patient or to treat a different patient. For context, treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Q. Under existing HIPAA rules, what information can health care providers collect or disclose to a public health authority, for example a local health department?

A. Hospitals and others may disclose protected patient information to the CDC or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. An example of the information that can be shared under these circumstances includes the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions.

Q. Does HIPAA allow for patient information to be disclosed to family, friends, and others?

A. Yes, but only with the patient’s consent. Health care providers may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. Of note, a disaster relief agency—or other entity covered under HIPAA—may share patient information (e.g., location, general condition, or even death) as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care.

Q. Can patient disclosures be made to prevent or lessen a serious imminent threat such as infection by COVID-19? 

A. Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. In such a circumstance, medical professionals may disclose a patient’s health information to family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health care providers in making determinations about the nature and severity of threats to health and safety.

Q. Can a patient’s health information be shared with an employer or landlord to prevent or lessen a serious imminent threat of infection?

A. The HIPAA privacy rules are not clear in this regard, but if a health care provider concludes, in good faith, that disseminating such information is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, the answer may be “yes.” In terms of the coronavirus, which remains live on certain types of surfaces for a period of time and could infect a landlord’s residents or an employer’s workforce, it is easy to foresee how information about a patient’s COVID-19 diagnosis or symptoms could be important to report, though dissemination decisions rest solely with medical providers or local authorized authorities.

Q. When patient information can be shared, how much is typically disclosed?

A. The patient information disclosed under HIPAA must be the “minimum necessary” to accomplish the purpose of sharing it. Toward that end, a health care provider may rely on representations from the CDC that the protected health information it requests about all patients exposed to or suspected or confirmed to have COVID-19 is the “minimum necessary” for the public health purpose. There is a caveat to all of this: “minimum necessary” requirements do not apply to disclosures to health care providers for treatment purposes.

Q. Under HIPAA, what are the parameters of patient COVID-19 disclosures to first responders?

A. HIPAA permits hospitals and health care providers to disclose patient health information about an individual who tests positive for COVID-19 in accordance with any state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. Likewise, such personal health information can be disclosed to a first responder who may have been exposed to a COVID-19 patient or may otherwise be at risk of contracting or spreading the disease.

Finally, a person’s personal health information can be disclosed to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to those (e.g., first responders, fire department personnel, child welfare workers, mental health crisis services, or others charged with protecting the health or safety of the public) they believe can prevent or lessen the threat.

This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.