In these unprecedented times, there is much talk of the novel coronavirus (COVID-19) as it relates to HIPAA and the privacy of patient information. The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently provided a statement to ensure all parties are aware of how patient information can be shared during an infectious disease outbreak. The purpose of the statement was to remind business associates and other entities covered by HIPAA that the Privacy Rule is not set aside during an emergency.
What this means for caregivers
Anyone who has been recognized by the patient will be allowed to continue receiving patient information. Additionally, HIPAA-covered entities are permitted to share the information in order to identify or locate a patient, and to notify the family members, guardians, or other caregivers of the patient’s general health condition or death. Furthermore, the information can be disclosed to law enforcement, the press or the public at large if necessary, to identify or locate the patient.
In any of the above cases, verbal permission from the patient should be obtained prior to the disclosure of information. However, the HIPAA minimum necessary standard does apply. This means that healthcare providers should make a reasonable effort to ensure any disclosed PHI is protected and restricted to the minimum necessary information, and only used to achieve the intended purpose.
What this means for business associates
While caregivers involved may share information as needed for public health purposes, business associates may not release the information without express authorization. If there is a legitimate need for public health authorities, or others responsible for ensuring public health and safety, to access protected health information required to carry out their public health mission, then and only then may the covered entity release the information. For example, should a facility ask that a business associate, such as MRO, release information verbally, the business associate is required to obtain a waiver of protection to do so. This is because the rule specifically indicates that business associates are to continue with the use of the protected information as outlined in the business associate agreement.
To learn more, and read the entire HHS release, click here.