Skip to main content

HHS Issues Coronavirus HIPAA Guidance

by Chris Brook on Thursday February 6, 2020

Contact Us
Free Demo

In the healthcare sector, concerns about the spreading coronavirus outbreak have reignited discussion around HIPAA, protected health information, and when it's legal for healthcare providers to disclose patient records.

The swell of recent news stories around the Novel Coronavirus (2019-nCoV) outbreak prompted the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) this week to reiterate the importance of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule.

In light of the news, HHS issued a bulletin (.PDF) around the 2019–20 Wuhan coronavirus outbreak and how it relates to HIPAA privacy on Monday.

While the respiratory illness was labeled a public health emergency by HHS Secretary Alex M. Azar last week, the department is stressing the urgency around 2019-nCov shouldn't negate the protections of the HIPAA Privacy Rule.

Complying with HIPAA of course requires covered entities to safeguard patients' protected health information (PHI) - any information created, used, or disclosed during the course of diagnosis or treatment. PHI can refer to a number of information types, including a patient's Social Security Number, health plan beneficiary number, medical record number, or account number.

HHS is reminding covered entities that they can only disclose protected health information about a patient in a few scenarios - all relate to public health and safety. If it's necessary to treat the patient or different patient, if there's a legitimate need for information to be shared with public health authorities, like the CDC, in order to prevent or control disease, at a public health authority's discretion, or if or if any individuals are believed to be at risk of contracting or spreading the disease.

There are some conditions where a covered entity can share PHI with a patient's family, relatives, and friends - if they can be located - mostly these exist to assist in patient care. Covered entities can also disclose PHI to prevent a what HHS deems a "serious and imminent threat."

Disclosure to the press is largely forbidden without the patient's written authorization.

In situations like these, when news on a public health emergency commands headlines for days on end, it's important for HHS to address any concerns around data sharing, mostly to help assuage fear. As we've seen before, concerns from hospital workers about contracting the virus, compounded by both the public and press, can lead to snooping and sharing data.

This is a path the HHS has been down before with high-profile illnesses like SARS (Severe Acute Respiratory Syndrome) and Bird Flu (Avian Influenza).

Just because a situation has been labeled an emergency doesn't give hospitals and health plans a free pass when it comes to safeguarding patient data.

"In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and discloses," HHS said in its guidance, "Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information."

It's important to note that the Wuhan coronavirus hasn’t been classified as a pandemic – yet. In the event of a pandemic, when there’s an ongoing epidemic on two or more continents, waiving or modifying requirements under HIPAA, could be permitted under section 319 of the Public Health Service Act.

For what it's worth, in a FAQ on its site, HHS also reiterates that the HIPAA Privacy Rule isn't suspended during a public health emergency. Only when the President declares an emergency or disaster and the HHS Secretary declares a public health emergency can the Secretary waive sanctions and penalties against covered entities that don't comply with the Privacy Rule.

For the time being, HIPAA still applies.

Tags:  Industry Insights Healthcare HIPAA

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.