Updated following OCR limited waiver: To disclose or not to disclose: Sharing identifiable health information during the coronavirus outbreak

As hospitals, skilled nursing facilities, physician practices, and other health care providers work to address the novel coronavirus (COVID-19) and those impacted or who may be impacted, it is important to understand when these individuals and entities are permitted to share patient information, when they are required to do so, and what limitations exist on disclosures of identifiable health information.

In a February 3, 2020, bulletin,[1] the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) issued a reminder to covered entities and business associates that the HIPAA protections on patient information remain in place during disease outbreaks and other health emergencies, including COVID-19. While the HIPAA regulatory requirements are not relaxed during the COVID-19 pandemic, the Secretary of HHS has the ability to waive certain provisions of the HIPAA regulations.

Following the declaration of a nationwide emergency with respect to COVID-19, effective March 15, 2020, the HHS Secretary exercised his authority to waive certain sanctions and penalties for hospitals that fail to comply with certain provisions in the HIPAA Privacy Rule.  In particular, subject to the limitations described below, the Secretary is waiving penalties related to:

• The requirement that a hospital obtain a patient’s agreement prior to speaking with the patient’s family or friends involved in the patient’s care;
• The requirement that a hospital allow a patient to exclude their name from the facility directory;
• The requirement that the hospital provide patients with a Notice of Privacy Practices;
• Compliance with a patient’s requested privacy restrictions; and
• Compliance with a patient’s request for confidential communications.

This waiver only applies (i) in the emergency area that is identified in the emergency declaration (in this case, nationally); (ii) to hospitals that have implemented a disaster protocol, and (iii) for up to 72 hours from the implementation of the disaster protocol.  With respect to the COVID-19 pandemic, if neither the emergency declaration of the President or the HHS Secretary remains in effect, hospitals must resume compliance with the HIPAA Privacy Rule provisions cited above, or they risk enforcement actions and penalties.  However, hospitals and other health care providers are able to apply to HHS to request a waiver of penalties for HIPAA noncompliance if the waiver would facilitate the provider’s service to patients during the COVID-19 pandemic.  Under Section 1135 of the Social Security Act, HHS may approve these waivers on a case-by-case basis.  Providers should submit Section 1135 waiver requests to both the State Survey Agency (and/or applicable accreditation organization) and their CMS Regional Office.

Notwithstanding the relief provided to hospitals under the circumstances described above, HIPAA sets forth a number of ways in which hospitals and other health care providers may share patient data without the patient’s authorization. Some include:

• For treatment of the patient or of a different patient. For example, a nursing home may discuss a resident’s care with a hospital or with the resident’s primary care physician. The treatment exception also permits information disclosures necessary to refer a patient to a different health care provider and to coordinate with third parties, including those who are not health care providers regulated by HIPAA, regarding the patient’s care.
• To inform persons involved in the patient’s care. For example, a hospital treating a patient with COVID-19 may share the patient’s information with family members or others responsible for the patient’s care when the information is directly relevant to the person’s involvement with the patient’s care or payment related to that care. Similarly, a skilled nursing facility may disclose the fact that the resident is receiving care at the facility to his or her family members who are involved in the resident’s care, and may disclose the resident’s general condition and, as applicable, inform them if the resident dies.

• If the patient has the capacity to make health care decisions, the facility must first either (i) obtain the patient’s agreement to the disclosure, such as asking a new patient to specify on an intake form to which family members the hospital may disclose information; (ii) provide the patient with an opportunity to object to the disclosure, and proceed if the patient does not object; or (iii) reasonably infer from the circumstances, based on the professional judgment of the applicable clinician, that the patient does not object to the disclosure.
• If the patient is incapacitated, or if an emergency circumstance negates the patient’s ability to consent or object to the disclosure to the patient’s family or others involved in his or her care, the relevant clinician, exercising his or her professional judgment, may disclose the patient’s information if he or she determines that the disclosure is in the patient’s best interest.

• To report or otherwise provide information for public health purposes. For example, as OCR notes in its February bulletin, a hospital, skilled nursing facility, or other health care provider may disclose a patient’s information to the Centers for Disease Control and Prevention (“CDC”) to report actual or prospective cases of COVID-19. Providers may notify a foreign government agency if that agency is collaborating with an applicable U.S.-based public health authority. Health care providers also may provide information to a state or local health department when that agency is authorized by law to collect that information for the purpose of preventing or controlling disease.
• To avert a serious and imminent threat. To make a disclosure of patient information to avert a threat, the health care provider would need to believe, in good faith, that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a particular person or the public generally. The disclosure must be made to one or more persons who are reasonably able to prevent or lessen the threat. In its bulletin on COVID-19, OCR lists family, friends, caregivers, and law enforcement as some examples of persons who may be in a position to lessen a COVID-19-related threat. Disclosures under this exception rely on the professional judgment of the applicable clinician as to whether a situation rises to the level of a threat to a person’s health or safety.

As health care providers analyze patient information disclosures, they also must keep in mind whether there are any other federal or state law restrictions that limit the information that they can share. For example, certain subsets of a patient’s record may be specially-protected under state law, such as mental health information or HIV/AIDS/sexually transmitted disease-related information, and substance use disorder information and genetic testing information is specially-protected at the federal level. If a patient’s record contains any of these subsets of information, a provider should take care to ensure that a disclosure that includes this data is permissible. Also, hospitals, skilled nursing facilities, and other providers must take care to limit any data disclosures to the minimum necessary to accomplish the purpose of the disclosure. For example, a provider likely will not need to transfer a patient’s mental health information or genetic test results to the CDC when informing the agency of a COVID-19 diagnosis.

In addition, as COVID-19 is a heavily-covered topic in the press, health care providers should take care to ensure that any disclosures to the media, or public postings on a facility’s website or social media accounts, comply with HIPAA and other applicable law. Assuming that the applicable patient has not previously objected or otherwise restricted his or her health information, HIPAA permits limited disclosures without patient authorization to the media and to persons who are not involved in the patient’s care, such as a hospital confirming that a particular person is a patient and providing general information on the patient’s condition, such as whether the patient is in critical condition or whether the patient has been released. As it may be the case that the press already has some information on a particular patient, a skilled nursing facility or hospital needs to ensure that its staff do not inappropriately share additional details above and beyond what HIPAA permits. Further, health care providers must take care in any social media postings or replies not to inappropriately divulge patient data. Disclosures to the press of patient data have been the subject of OCR enforcement actions;[2] training public relations and administrative staff on permissible disclosures, or consolidating media and social media responses to a designated individual or team, may prevent HIPAA violations and OCR enforcement.

While it is important for health care providers to ensure that they are safeguarding patient data, they must simultaneously make sure that they are providing appropriate access to this data. In 2019, OCR announced a Right of Access Initiative, whereby it is focused on ensuring that patients receive prompt access to their medical records in the format of their choice and without being overcharged. Since then, OCR has announced two enforcement actions under this Right of Access Initiative, entering into settlements, each with $85,000 penalties, with two providers who failed to provide timely access to patient information.[3] Health care providers should take care that they are properly responding to a patient’s request for his or her records, providing such access in a timely manner, and charging patients fees that comply with the limitations imposed by HIPAA and state law. In addition, hospitals, physicians, and other providers should take care to provide records to a patient in the format requested; for example, if a provider uses electronic health records and the patient requests an electronic copy of their record, the provider must provide the patient with an electronic copy if the information is readily producible in this format. If providers are outsourcing to vendors their responses to patient access requests, the providers should take care to confirm that their vendors are complying with the applicable HIPAA and state law requirements regarding medical record requests.

It is important to note that, while other state data protection laws may apply more broadly, HIPAA only applies to covered entities and business associates. Persons or entities who do not fall within those categories, including the media and patients’ family members, are not subject to the HIPAA privacy protections and may be able to share data more freely.

1. Office for Civil Rights, HIPAA Privacy and Novel Coronavirus, February 2020.
   [Back to reference]
2. See OCR Resolution Agreement and Corrective Action Plan with Allergy Associates of Hartford, P.C., and OCR Resolution Agreement and Corrective Action Plan with Elite Dental Associates—Dallas, P.C.
   [Back to reference]
3. See OCR Resolution Agreement and Corrective Action Plan with Bayfront HMA Medical Center, LLC and OCR Resolution Agreement and Corrective Action Plan with Korunda Medical, LLC.
   [Back to reference]