The COVID-19 pandemic has forced unprecedented reliance on technology and remote connectivity and created a significant increase in COVID-19 patient information from the public, media, drug manufacturers, first responders and other providers, family members, and patients themselves. This rapid and significant shift in technology usage and increasing interest in and need for sharing patient data raises enhanced privacy and cybersecurity concerns in the highly regulated healthcare industry.
Limited HIPAA Waiver
In response to the declaration of a nationwide emergency concerning COVID-19, the US Department of Health and Human Services (HHS) issued a waiver (effective March 15) of limited HIPAA Privacy Rule obligations for covered entities located in Secretary Azar’s January 31 public health emergency declaration area during the first 72 hours after the activation of the entity’s emergency response plan. Under the waiver, HHS will waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the Privacy Rule:
Obtaining a patient’s agreement to speak with family or friends or to be included in the facility directory
Distributing the facility Notice of Privacy Practices (and keeping it updated, given the changes in how information may be used or disclosed)
Honoring a patient’s requests for certain privacy restrictions or confidential communications
The waiver is limited. Is does not apply to hospitals that have not instituted a disaster protocol or 72 hours after instituting a disaster protocol. Also, it is not clear whether temporary facilities set up for testing or emergency room overflow/prescreening fall under the waiver.
The HHS Office for Civil Rights (OCR) issued a bulletin on COVID-19-related use and disclosure of protected health information. The guidance addresses a variety of disclosure options, including treatment, public health, those involved in an individual’s care, prevention of a serious and imminent threat, and media. While these are not new concepts, OCR’s bulletin places these HIPAA concepts in the context of COVID-19.
Public Health Disclosures
Under HIPAA, covered entity health care providers may disclose PHI about individuals who have been exposed to, or are suspected of having contracted, COVID-19 to public health authorities authorized by law to receive such information for preventing or controlling the spread of disease. However, providers should consult applicable authority under state law before relying solely on HIPAA as authorizing a permissive disclosure. Some states have mandatory public health reporting obligations. Further, reporting obligations and options may vary depending on whether the subject individual is a patient, workforce member who is not a patient, or workforce member who is also a patient.
For permissive reporting to public health authorities, covered entity providers should limit disclosures to minimum necessary information (e.g., information needed by the public health authority to conduct activities to prevent or control the spread of COVID-19). In addition, public health disclosures are not excluded from accounting of disclosures obligations, so covered entity providers should be prepared to record and supply individuals with required accounting information.
First Responder Access
On March 24, OCR issued guidance outlining how providers may disclose health information about an individual infected with or exposed to COVID-19 to law enforcement, paramedics, and other first responders (in addition to public health authorities) without patient authorization. The guidance outlines disclosures for treatment purposes, when first responders may be at risk of infection, and provides additional specific examples related to EMS and 911 call centers. The guidance also reminds providers of the general obligation (with limited exceptions) to limit disclosures to minimally necessary information.
State Law Still Applies
The HIPAA limited waiver and emergency situation do not, without more, waive state privacy laws. While the waiver allows some flexibility with HIPAA compliance, we are still waiting to see if state regulators will take any action to waive state privacy obligations (either those that mirror HIPAA or those that are more protective than HIPAA).
Providers should familiarize themselves with permissive and mandatory reporting obligations and state-specific obligations regarding handling, use, and disclosure of patient information.
Sensitive Health Information
In addition to HIPAA, health and life sciences entities are familiar with additional legal obligations related to particularly sensitive health information, including alcohol and drug abuse treatment records, HIV, mental health, etc. These increased protections remain in place without express waivers or exceptions for emergencies.
The Substance Abuse and Mental Health Services Administration (SAMHSA) released guidance on March 19 regarding COVID-19 and 42 C.F.R. Part 2 to ensure that substance use disorder (SUD) treatment services are uninterrupted during the public health emergency. Noting the increased need for telehealth services, including telephonic consultations, and the difficulty in obtaining written consent for disclosure of SUD records, SAMHSA noted that Part 2 prohibitions would not apply to these situations to the extent that a medical emergency exists (as determined by the provider).
Safeguards and Access Controls
HIPAA’s obligations to implement and maintain reasonable and appropriate administrative, physical, and technical safeguards to protect confidentiality, integrity, and availability of protected health information are not waived in a public health emergency. Providers adapting to changing conditions, makeshift testing facilities, and increased patient volumes must continue to implement appropriate safeguards.
With increasing interest in symptoms, testing, care, and outcomes of COVID-19 patients, access controls are an important safeguard for snooping (even from well-meaning workforce members). HIPAA covered entities must implement reasonable and appropriate safeguards, to protect confidentiality, integrity, and availability of protected health information. Providers should implement heightened access controls (e.g., break the glass or VIP designations), provide reminders to workforce members on appropriate and inappropriate access, and review and respond audit logs.
Recognize HIPAA requirements are still applicable in a public health emergency, understand the scope of the limited HIPAA waiver, consider interaction of state and federal law for public health disclosures, assess safeguard adequacy, and enable strong access controls on COVID-19 records.
Meghan O’Connor and Simone Colgan Dunlap are attorneys with Quarles & Brady. For assistance, contact Meghan O’Connor at 414.277.5423 or [email protected] and Simone Colgan Dunlap at 602.229.5510 or [email protected]. For more information, please visit https://www.quarles.com/covid-19-guidance-for-clients/ for comprehensive, free-to-access COVID-19 resources.