HHS Issues Coronavirus HIPAA Guidance
In the healthcare sector, concerns about the spreading coronavirus outbreak have reignited discussion around HIPAA, protected health information, and when it's legal for healthcare providers to disclose patient records.
The swell of recent news stories around the Novel Coronavirus (2019-nCoV) outbreak prompted the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) this week to reiterate the importance of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule.
In light of the news, HHS issued a bulletin (.PDF) around the 2019–20 Wuhan coronavirus outbreak and how it relates to HIPAA privacy on Monday.
While the respiratory illness was labeled a public health emergency by HHS Secretary Alex M. Azar last week, the department is stressing the urgency around 2019-nCov shouldn't negate the protections of the HIPAA Privacy Rule.
In light of the Novel Coronavirus (2019-nCoV) outbreak, OCR has issued guidance to serve as a reminder of the ways that patient information may be shared and so that the protections of #HIPAA are not set aside during an emergency: https://t.co/fcLojBz7lM #CoronavirusOutbreak
— HHS OCR (@HHSOCR) February 3, 2020
Complying with HIPAA of course requires covered entities to safeguard patients' protected health information (PHI) - any information created, used, or disclosed during the course of diagnosis or treatment. PHI can refer to a number of information types, including a patient's Social Security Number, health plan beneficiary number, medical record number, or account number.
HHS is reminding covered entities that they can only disclose protected health information about a patient in a few scenarios - all relate to public health and safety. If it's necessary to treat the patient or different patient, if there's a legitimate need for information to be shared with public health authorities, like the CDC, in order to prevent or control disease, at a public health authority's discretion, or if or if any individuals are believed to be at risk of contracting or spreading the disease.
There are some conditions where a covered entity can share PHI with a patient's family, relatives, and friends - if they can be located - mostly these exist to assist in patient care. Covered entities can also disclose PHI to prevent a what HHS deems a "serious and imminent threat."
Disclosure to the press is largely forbidden without the patient's written authorization.
In situations like these, when news on a public health emergency commands headlines for days on end, it's important for HHS to address any concerns around data sharing, mostly to help assuage fear. As we've seen before, concerns from hospital workers about contracting the virus, compounded by both the public and press, can lead to snooping and sharing data.
This is a path the HHS has been down before with high-profile illnesses like SARS (Severe Acute Respiratory Syndrome) and Bird Flu (Avian Influenza).
Just because a situation has been labeled an emergency doesn't give hospitals and health plans a free pass when it comes to safeguarding patient data.
"In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and discloses," HHS said in its guidance, "Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information."
It's important to note that the Wuhan coronavirus hasn’t been classified as a pandemic – yet. In the event of a pandemic, when there’s an ongoing epidemic on two or more continents, waiving or modifying requirements under HIPAA, could be permitted under section 319 of the Public Health Service Act.
For what it's worth, in a FAQ on its site, HHS also reiterates that the HIPAA Privacy Rule isn't suspended during a public health emergency. Only when the President declares an emergency or disaster and the HHS Secretary declares a public health emergency can the Secretary waive sanctions and penalties against covered entities that don't comply with the Privacy Rule.
For the time being, HIPAA still applies.