COVID-19 & HIPAA Bulletin:  Limited Waiver of HIPAA Sanctions and Penalties

The Department of Health and Human Services (HHS) has issued guidance regarding the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). The guidance offers numerous flexibilities to covered entities and business associates under the law during the declared public health emergency and nationwide emergency.

While the limited waiver in the title of the bulletin only applies to certain hospitals, the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), passed after the release of the bulletin, requires the Secretary of HHS to issue HIPAA-related guidance within 180 days on the sharing of patient health information during the public health emergency. In the meantime, HHS points out that the HIPAA Privacy Rule always allows patient information to be shared for the following purposes and under the following conditions:

Treatment: Covered entities may disclose protected health information (PHI) about the patient as necessary to treat the patient–or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more health care providers and others and consultation between providers.

Public Health Activities: Public health authorities and others responsible for ensuring public health and safety can have access to protected health information that is necessary to carry out their public health mission. The Privacy Rule permits covered entities to disclose needed protected health information without individual authorization to a public health authority or to persons at risk of contracting or spreading a disease or condition.

Disclosures to Family, Friends, and Others Involved in an Individual’s Care: A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. This gives state DD authorities latitude to inform family members and others in the case of a COVID-19 diagnosis or related quarantine order.

Disclosures to Prevent or Lessen a Serious and Imminent Threat Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. these disclosures are left to the discretion and professional judgement of healthcare professionals about the nature and the severity of the threat.

 FMI: The guidance is available at https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf