In times of crisis, processing the influx of information can be like drinking water from a firehose. It can be difficult to just take what you need and keep moving especially when important information is about topics on which you may not feel well oriented.
Over the past several weeks, the Office for Civil Rights, the part of The U.S. Department of Health and Human Services that enforces HIPAA, has issued several notices about privacy and security flexibilities to help providers respond to COVID-19.
The first notice is a reminder about how a patient’s protected health information (PHI) can be disclosed for public health purposes. PHI can be disclosed to a public health authority, such as a state or local health department or the CDC, to report cases of COVID-19. While it is unlikely, during an outbreak, health departments sometimes request information from providers. This is called active surveillance. If you receive a request from a public health authority about COVID-19, be sure to confirm the requestor’s identity by asking for government identification or calling the department using the phone number on its official website to confirm a written request.
Other permitted disclosures for public health purposes can be made to those who may have been exposed to a communicable disease or may be at risk of contracting or spreading a disease or condition to control the spread of the disease. It is very important to remember that only the minimum amount of PHI should be disclosed.
PHI can be disclosed to family members, friends, and others involved in a patient’s care but only as it applies to the current treatment or authorization from the patient. Providers should exercise professional and ethical judgement in these situations.
The OCR released further clarification that, on a per case basis, emergency departments, 911 and EMS dispatch centers that are covered entities, and nursing homes can disclose a patient’s COVID-19 status to first responders and officers so appropriate precautions can be taken to minimize exposure. In addition to this, business associates may now share PHI for public health purposes related to COVID-19 so that the CDC and other public health authorities can have quicker access to critical statistics.
All other disclosures that are not part of treatment, payment, or operations, remain restricted and require a patient’s authorization. These exceptions will be in place until further notice from the OCR.