The HIPAA Privacy Rule protects the privacy of patient’s health information but is balanced to ensure that appropriate use and disclosure of information remains necessary during a public health emergency. This information may be used to treat a patient, protect public health, and may be used for other critical purposes.
Considering the coronavirus (COVID-19) outbreak, the Department of Health & Human Services (HHS) issued a bulletin stating that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule’s protections still apply to covered entities and business associates at this time, but not to employers.
HHS also announced that it will not impose penalties for HIPAA non-compliance against healthcare providers that serve patients through virtual communication (FaceTime or Skype) during this public health emergency.
Impact to Employers
Employers are not directly subject to the Privacy Rule, meaning medical information that is provided to an employer directly by an employee is not contingent. However, other federal and state privacy restrictions may still apply, including the Americans with Disabilities Act (ADA).
Impact to Covered Entities
HHS’ guidance regarding the protection of health information during an outbreak includes:
- Treatment — covered entities may disclose, without a patient’s authorization, protected health information (PHI) about the patient as necessary for treatment.
- Public Health Activities — permits covered entities to disclose needed PHI to public health authorities and others responsible for ensuring public health and safety.
- Disclosures to Families — a covered entity may share PHI with a patient’s family members, relatives, friends or other persons identified by the patient as involved in the care.
- Disclosures to Prevent Threat — healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
- Disclosures to the Media — affirmative reporting to the media or public at large about an identifiable patient and/or the disclosure of specific information pertaining to a patient’s illness may not be done without the patient’s (or legal representative) authorization.
- Minimum Necessary — a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose.
Covered entities and their business associates will want to review HHS’ guidance to ensure compliance is adhered to as this public health emergency progresses.
Questions? We’re here for you. Contact the Creative Benefits Team at 866-306-0200 or firstname.lastname@example.org.