Recent guidance from the Office for Civil Rights and the Centers for Medicare and Medicaid Services reiterates that existing privacy laws and emergency preparedness standards provide an effective framework for providers during the 2019 Novel Coronavirus outbreak.
We recently published guidance for US employers and employer group health plan considerations surrounding the 2019 Novel Coronavirus (COVID-19), and here we take a closer look at privacy and emergency preparedness issues facing the hospitals and other healthcare providers that are on the front lines of treatment; public health outreach activities with respect to the virus; and how public health concerns may be balanced with compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule.
Healthcare privacy laws, such as HIPAA and state medical privacy laws, can create complexities for hospitals as they attempt to weigh the privacy rights of a patient who has contracted COVID-19 against preserving public safety, including that of the patient’s co-workers, family, and friends. A hospital’s response to COVID-19 must also address federal, state, and local emergency preparedness requirements applicable to health facilities.
The Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued a bulletin on February 3, 2020 (the OCR Bulletin), confirming that even in emergency situations such as the COVID-19 outbreak, the protections of the HIPAA privacy rule still apply. Therefore, a hospital must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).
The OCR Bulletin notes that while HIPAA protects the privacy of PHI, it does not preclude the use and disclosure of the minimum amount of PHI necessary to treat a patient, to protect the nation’s public health, or to prevent a serious and imminent threat to the health and safety of a person or the public. The OCR Bulletin does not articulate any new HIPAA rules or guidance, and is similar to other bulletins that the agency has issued in the wake of other major emergencies, such as hurricanes, earthquakes, and mass shootings.
CMS Emergency Preparedness Requirements
US hospitals have long been subject to federal, state, and local emergency preparedness requirements, which include emergency preparedness initiatives established by HHS. The Centers for Medicare and Medicaid Services (CMS) Hospital Preparedness Program had provided sustained national focus on emergency preparedness to improve patient outcomes and enable rapid recovery.
Hospitals have been subject to certification and licensing standards and, while much of the CMS Hospital Preparedness Program is voluntary, compliance with the CMS conditions of participation, conditions of coverage, and conditions for certification required by hospital facilities is not.
To that end, CMS issued “reminder” guidelines on February 6, 2020 (the CMS Memorandum), regarding the obligations of facilities as they gear up to address the most recent coronavirus illness. The CMS Memorandum to state survey directors reiterated required survey and certification standards involving hospital and other healthcare facility conditions of participation and identified surveyor expectations of healthcare facilities.
In response to COVID-19, the CMS director of Quality Safety and Oversight Group reiterated guidance, issued in February 2019, on the need for preparation by hospitals to ensure safety for families, healthcare workers, and patients alike. CMS cites the importance of complying with the Centers for Disease Control (CDC) Interim Infection Control Recommendations for COVID-19 and the CDC Hand Hygiene in Healthcare Settings guidance.
The CMS Memorandum also notes that CMS will be working with accrediting organizations and state survey agencies to “clarify, emphasize, and ensure that healthcare facility infection control programs meet minimum health and safety standards.” It instructs surveyors during surveys to “be alert to healthcare staff hand hygiene practices” and reminds surveyors and providers that the Office for Civil Rights (OCR) has issued guidance reminding providers of the ways that patient information may be shared so that the protections of the HIPAA privacy rule are not set aside during an emergency.
HIPAA and COVID-19
The OCR Bulletin restates the HIPAA privacy rule concerning sharing patient information with public health authorities, with families and friends to prevent a serious threat, and with the media, placing such disclosures in the context of the COVID-19 outbreak.
Family and Friends
PHI about a COVID-19 patient can be disclosed to certain friends, family members, and other individuals involved in the care of that person. A hospital may also share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care of the patient’s location, general condition, or death. See 45 CFR 164.510(b). In addition, a hospital may share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care of the patient’s location, general condition, or death.
Serious and Imminent Threat
A hospital may also share PHI as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, so long as the disclosure is consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s ethical standards of conduct. See 45 CFR 164.512(j). Under this exception, a hospital may disclose PHI regarding a COVID-19 patient to anyone who is in a position to prevent or lessen a serious and imminent threat, such as the threat of spreading COVID-19 infection, including family, friends, caregivers, and law enforcement, without the patient’s permission.
Hospitals should always be wary of employee snooping, as this poses a significant privacy risk. We recommend using the curiosity and media presence surrounding COVID-19 as an opportunity to remind those employees with access to PHI of their responsibilities under HIPAA.
The media plays a large role in preserving public health and providing timely and accurate information about COVID-19 and the risk of contraction. However, the media and the general public are not covered by HIPAA mandates and therefore are not subject to HIPAA restrictions once they have information about an individual who has contracted COVID-19.
HIPAA generally prohibits the disclosure of information regarding the employee or dependent’s condition, such as specific tests, test results, or details of a patient’s illness, to the media without his or her consent. Where a patient has not objected to or restricted the release of PHI, a hospital may, upon request, disclose information about a particular patient by name; may release limited facility directory information to acknowledge an individual is a patient at the facility; and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). See 45 CFR 164.510(a).
Public Health Authorities
In situations where individuals have contracted an infectious disease such as COVID-19, there is a legitimate need to share information with public health authorities and others responsible for ensuring public health and safety. Those entities may need PHI to allow them to carry out their mission, which is to protect the public from disease.
Accordingly, the HIPAA privacy rule contains exceptions that would permit hospitals to share information regarding employees or dependents who have contracted COVID-19 to state and federal public health authorities, such as the CDC and state and local departments of health.
With respect to all permitted disclosures of patient PHI, such disclosures are subject to the minimum necessary rule. Shared information should be limited to the minimum necessary amount to accomplish the purpose for which the information is disclosed. For example, a hospital may rely on representations from the CDC that the PHI requested by the CDC about patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose. See 45 CFR 164.502(b) and 164.514(d).
Providers are focusing on all areas of emergency preparedness, and legal compliance is a necessary element of that as well. To that end, common legal preparedness elements include a communications and media strategy, protection of PHI in communications, and prepared statements, all of which should be run by legal counsel.
We further recommend that employees be reminded of their responsibility relating to access to patient records, the use of “break the glass” features in electronic medical records to prevent unauthorized access, and assuring other protections are in place to prevent unauthorized access by employees tempted to access records for patients being treated with COVID-19.
It is important to maintain perspective as this latest virus impacts various communities in the United States and around the world. Misinformation can be easily spread in communities and within providers. The legal effects of succumbing to hysteria, abuse of access to information, or failure to prepare for emergencies by certified and licensed healthcare providers can put providers at risk. Nevertheless, applicable regulatory agencies have emphasized that existing privacy laws and emergency preparedness standards provide an effective framework to enable hospitals to respond to the spread of COVID-19.