Due to the rapid spread of the COVID-19 virus throughout the world, the U.S. Department of Health and Human Services (HHS) issued a bulletin
on February 3, 2020 clarifying how the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies during such an outbreak1
. The bulletin helps clarify under what circumstances the Privacy Rule permits the disclosure of protected health information (PHI) without an individual’s consent and has become increasingly important as the number of COVID-19 cases in the United States continues to climb.
In general, the HIPAA Privacy Rule governs how covered entities, including health plans, and business associates of those covered entities, must act to protect the privacy and security of PHI. Employers with self-funded or self-administered health plans are subject to HIPAA with respect to PHI obtained through the health plan (rather than directly from the employee outside of the plan context).2
The Privacy Rule generally prohibits the disclosure of an individual’s PHI without that individual’s consent, with a few exceptions, including certain exceptions intended to allow public health authorities to carry out their duties. Specifically, a covered entity is permitted to disclose individual PHI without obtaining that individual’s consent to the Centers for Disease Control and Prevention (CDC) and to state or local health departments for the purpose of reporting diseases or conducting interventions. Some states require such disclosure. The HHS bulletin provides that, for example, “a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).”
A covered entity is also permitted to disclose PHI without an individual’s consent to family members, friends, or caregivers identified as being involved in the individual’s medical care if it is in the individual’s best interest, although the individual’s consent should be obtained if possible. This could include information about the individual’s location, general condition, or death.
The Privacy Rule also requires that any disclosure be limited to the “minimum necessary” information required to accomplish the intended purpose of the disclosure. For disclosures relating to COVID-19, the HHS bulletin states that covered entities “may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose.”
The HIPAA Privacy Rule does not permit an employer acting as a covered entity to disclose an individual’s PHI to that individual’s co-workers without the individual’s consent, and so care should be taken to segregate PHI contained in an employer’s health plan records from the employer’s other records. For more information on an employer’s responsibilities with respect to COVID-19 in the workplace outside the HIPAA context (when the employer is not acting as a covered entity), please see a related alert
from Fennemore's employment and labor group.