In case you missed it, the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) recently issued a bulletin titled HIPAA Privacy and Novel Coronavirus “to ensure that HIPAA covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.” It noted that in addition to protecting privacy, the Rule permits uses and disclosures to protect the nation’s public health. It also referenced the CDC’s information on protecting oneself  from the disease at https://www.cdc.gov/coronavirus/2019-ncov/downloads/2019-ncov-factsheet.pdf.

After mentioning the general authority to use and disclose protected health information (“PHI”) for treatment without patient consent (unless another law, such as 42 C.F.R. Part 2, regulating substance abuse treatment disclosures, requires consent), it discusses public health activities access in detail.

The Privacy Rule permits covered entities to disclose needed PHI without individual authorization to a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. A “public health authority” is an agency or authority of the United States government, a state, a territory, a political subdivision of a state or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. See 45 C.F.R. §§ 164.501 and 164.512(b)(1)(i). For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV).

Public health authorities may also disclose to persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. See 45 C.F.R. § 164.512(b)(1)(iv).

The bulletin also reiterated that a health care provider may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.  A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, or even the police, the press, or the public at large of the patient’s location, general condition, or death. 45 C.F.R. § 164.510(b). The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible; if the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

For patients who are unconscious or incapacitated, a health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care, if the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient.

The bulletin noted that a covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death.  It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Disclosures to Prevent a Serious and Imminent Threat: Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public―consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 C.F.R. § 164.512(j).  Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.  See 45 C.F.R. § 164.512(j). In the author’s opinion, the coronavirus is such a threat.

Note that, other than stated above, disclosures to the media or others not involved in the patient’s care may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make health care decisions on behalf of the patient).

As to the Minimum Necessary Rule, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.

The bulletin stressed that, even in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information (“EPHI”).

To read the entire bulletin, go to https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. Surely, after having read Jon’s blog items all these years, and especially today’s blog item, you recognize that you must keep your risk analysis up to date. Make sure that you include malware and ransomware in your initial risk analysis and all updates thereof. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMHO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6^th edition, with the accompanying HIPAA Documents Resources Center CD, also 6^th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at https://www.veteranspress.com/product/hipaa-risk-analysis-toolkit. Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at https://www.complianceiq.com/trainings/LiveWebinar/2255/how-to-do-a-hipaa-and-hitech-risk-analysis. Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation, including a release of information policy and a right of access policy. That book also contains a chapter by me on how to write in general, but more specifically on how to write a good policy.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: https://www.veteranspress.com/product/basic-hipaa-training-video-dvd-workbook or https://www.veteranspress.com/product/online-hipaa-training-video-certification. Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at jon@veteranspress.com or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly, after restarting your heart, if HHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Jon’s Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist, as one of our clients suggested to us.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at www.veteranspress.com.

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts. Please avoid the coronavirus with or without the HIPAA implications. We need you on the planet just the way you are to do the work that you do. Thank you.