Access All Live + All On-Demand Trainings for 1 Year! SAVE $500 NOW

All Blogs

Prevent HIPAA Penalties: 5 Emergency Disclosure Rules to Follow Now


Posted Mar 19, 2020
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

Prevent HIPAA Penalties: 5 Emergency Disclosure Rules to Follow Now

Posted March 19, 2020
Share: Share on Facebook Share on Twitter Share on LinkedIn

As COVID-19 quickly spreads across the country, so will the requests for access to patient Protected Health Information (PHI).  These requests can come from a variety of sources (i.e. patients, health departments, government agencies, family members, guardians, etc.). 

It is imperative that you have a firm handle on your obligations and your patients’ rights when it comes to releasing patient PHI. Although HIPAA privacy fines are not being issues currently, you can bet they’ll be back once this pandemic is over. Below you’ll find a variety of HIPAA disclosure allowances to help you better protect your patients and practice from  privacy expert and healthcare attorney, Daphne Kackloudis, JD.

HIPAA Updates Confirm Privacy Rights Still Apply

As a provider, always remember that protections of the Privacy Rule are not set aside during an emergency. The U.S. Department of Health and Human Services (HHS) provided guidance to ensure that HIPAA covered entities (your practice) and business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule during this emergency.

Patient Authorization Disclosure Not Required in Course of Treatment

Under the Privacy Rule, you may disclose, protected health information about the patient as necessary to treat the patient or to treat a different patient without a patient’s authorization. Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Some Public Health Release Exempt from Patient Authorization Requirement

The Privacy Rule permits you to disclose needed PHI without individual authorization under the following circumstances:

  • CDC/Health Department: To a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.

Definition: A public health authority is an agency or 27 authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency.

Example: A covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID19.

  • Foreign Government: At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
  • At-risk Persons: To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
  • Relief Organizations: With disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Verbal Authorization Best If Possible Before PHI Release to Family

Yes. A you may share PHI with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. You may also share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary, to notify family members and others, the police, the press, or the public at large.

You should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, when possible. If the patient is incapacitated or not available, you may share information for these purposes if, in your professional judgment, doing so is in the patient’s best interest. For patients who are unconscious or incapacitated, you may share relevant information about them with family, friends, or others involved in the their care or payment for care, if it is determined, based on your professional judgment, that doing so is in the best interests of the patient.

Minimum Needed Disclosure Standard Applies to COVID-19

For most disclosures of PHI, you must make reasonable efforts to limit the information disclosed a “minimum necessary”this standard does not apply to disclosures to health care providers for treatment purposes). You may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances.

Example: A covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose. In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.

HIPAA & COVID-19 Online Training and Resources

 

Meet Your Writer

Daphne Kackloudis
Esq.
Partner at Brennan, Manna & Diamond

Daphne L. Kackloudis is a member of the firm, she heads BMD Columbus’ health care practice, and she chairs BMD’s Empowerment and Opportunity (DE&I) Committee. Daphne’s success –and that of her clients – is rooted in the nexus between traditional health care legal services and health care public policy. She has broad and deep experience in health care operations, service delivery, payment systems, and compliance, as well as Medicaid, public policy, and government affairs. Daphne advises health care trade associations and health care providers as outside counsel and in-house as a member of her clients’ senior leadership teams.