Due to the rapid spread of the COVID-19 virus throughout the world, the U.S. Department of Health and Human Services (HHS) issued a bulletin on February 3, 2020 clarifying how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies during such an outbreak¹. The bulletin helps clarify under what circumstances the Privacy Rule permits the disclosure of protected health information (PHI) without an individual’s consent and has become increasingly important as the number of COVID-19 cases in the United States continues to climb. 

In general, the HIPAA Privacy Rule governs how covered entities, including health plans, and business associates of those covered entities, must act to protect the privacy and security of PHI. Employers with self-funded or self-administered health plans are subject to HIPAA with respect to PHI obtained through the health plan (rather than directly from the employee outside of the plan context).²

The Privacy Rule generally prohibits the disclosure of an individual’s PHI without that individual’s consent, with a few exceptions, including certain exceptions intended to allow public health authorities to carry out their duties. Specifically, a covered entity is permitted to disclose individual PHI without obtaining that individual’s consent to the Centers for Disease Control and Prevention (CDC) and to state or local health departments for the purpose of reporting diseases or conducting interventions.  Some states require such disclosure.  The HHS bulletin provides that, for example, “a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).”

A covered entity is also permitted to disclose PHI without an individual’s consent to family members, friends, or caregivers identified as being involved in the individual’s medical care if it is in the individual’s best interest, although the individual’s consent should be obtained if possible. This could include information about the individual’s location, general condition, or death. 

The Privacy Rule also requires that any disclosure be limited to the “minimum necessary” information required to accomplish the intended purpose of the disclosure. For disclosures relating to COVID-19, the HHS bulletin states that covered entities “may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose.” 

The HIPAA Privacy Rule does not permit an employer acting as a covered entity to disclose an individual’s PHI to that individual’s co-workers without the individual’s consent, and so care should be taken to segregate PHI contained in an employer’s health plan records from the employer’s other records.  For more information on an employer’s responsibilities with respect to COVID-19 in the workplace outside the HIPAA context (when the employer is not acting as a covered entity), please see a related alert from Fennemore’s employment and labor group.
 

---

 

[1] In March 2020 HHS also issued a limited waiver of HIPAA penalties and sanctions for violations of certain provisions of the Privacy Rule. The limited waiver only applies to covered hospitals meeting certain requirements for specified emergency times and locations.
[2] Although personal health information provided by employees to an employer outside of a health plan may not be covered by the HIPAA Privacy Rule, it is still recommended that employers treat such information with a high level of confidentiality and obtain the employee’s consent to any disclosure if possible.