HIPAA Privacy and Security During the COVID-19 Pandemic

The HIPAA Security Rule ensures the security of patients’ protected health information (PHI) and requires reasonable safeguards to be implemented to protect PHI against impermissible uses and disclosures.¹ The HIPAA Privacy Rule restricts the uses and disclosures of PHI to those related to treatment, payment, and healthcare operations.² When public health emergencies such as the COVID-19 pandemic are declared, the Secretary of Health and Human Services (HHS) may choose to waive certain sanctions and penalties for non-compliance with specific provisions of the HIPAA privacy rules.

The U.S. Centers for Disease Control and Prevention (CDC) has advised the following in regard to COVID-19: if an individual has been in China within the past 14 days or exhibits the following symptoms: i) feels sick with fever, cough, ii) experiences difficulty breathing, and iii) is running a fever greater 101º F, then he or she should report the condition and should either engage in mandated quarantine or self-quarantine.³ In this situation, rights to privacy, under the HIPAA along with other state and federal rules, are maintained. As such, under HIPAA (and the other state and federal rules), the individual’s identity should not be disclosed without an authorization from the individual.

This raises the issue of how to notify all workforce members of the status of a coworker who may be a carrier of the COVID-19 virus. This is critical to allow individuals to maintain their personal safety, and to control the spread of the disease.

Best practice is to disclose the potential exposure without disclosing the individual’s name: “Someone in our workplace believes they have been exposed to, or has tested positive, for COVID-19, and they have identified you as a close contact according to the CDC definition. The person was exposed or tested positive on a certain date and is now self-isolating.”

Permitted Disclosures Regarding the COVID-19 Pandemic: Employee Infections

The increased spread of the novel coronavirus presents a number of significant challenges in addressing how to deal with COVID-19 infections, in the face of the HIPAA privacy rules, along with other relevant federal (and state regulations). This article is designed to address the two most common issues you will be presented with: an employee diagnosed with the COVID-19 virus, or an employee exposed to the COVID-19 virus. Your designation as a covered entity, as well, will color how you address these issues.

In February 2020, the Office for Civil Rights (OCR) released a bulletin about the novel coronavirus.⁴ This bulletin, a summary of which is detailed below, confirms how patient information may be shared under the HIPAA privacy rule during emergency situations such as the outbreak of infectious disease.⁴

• PHI can be disclosed without first receiving authorization from a patient for treatment purposes.⁴ Disclosures are also permitted to coordinate and manage care for patient referrals and consultations with other health care professionals.

• With a disease such as COVID-19, it is essential for covered entities to notify public health authorities of an infected patient, as the public health authorities will need information in order to ensure public health and safety.⁴ It is permissible to share PHI with public health authorities such as the CDC, state and local health departments, and others responsible for ensuring the safety of the public. These disclosures are necessary to help prevent and control disease, injury, and disability. In such cases PHI may be shared without obtaining authorization from the patient.

• Disclosures of PHI are also permitted to prevent and lessen a serious and imminent threat to a specific person or the public in general, provided such disclosures are permitted under other laws.⁴ Such disclosures do not require permission from a patient. These disclosures are left to the discretion and professional judgment of health care professionals about the nature and the severity of the threat.

HIPAA Applies Only to Covered Entities and Business Associates

The first issue under HIPAA is, are you acting as a covered entity?

The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates. There may be other state or federal rules—such as the Americans with Disabilities Act or the Genetic Information Nondiscrimination Act of 2008—that apply, although such persons or entities should follow the standards on a voluntary basis to assure compliance with these other federal and state rules.^5,6

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce.⁷ Covered entities are health plans, health care clearinghouses, and those health care providers who conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.

Given this definition, employer-to-employee communications will most likely not be covered by HIPAA, and as such are not controlled by the HIPAA Privacy Regulations but other federal and state regulations may apply.⁷

Disclosures Allowed Under HIPAA For Covered Entities

In those instances where the entity provides services that fall under the definition of a covered entity, or business associate, you are able to share patient information, without an authorization, under the following circumstances:

Treatment. According to the Privacy Rule, HIPAA-covered entities may disclose a patient’s PHI without the patient’s consent, as necessary, to treat that patient or a different patient.⁴ Treatment includes coordinating or managing health care and related services by one or more health care providers and others, consultation between providers, and treatment referral for patients.⁸

Public health activities. The HIPAA Privacy Rule acknowledges the legitimate need for public health authorities to have the access to the PHI that is necessary to carry out their public health mission.

Therefore, the Privacy Rule permits covered entities to disclose needed PHI without individual authorization in the following circumstances:⁴

• To a public health authority, such as the CDC or a state or local health department, which is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability.⁴ Examples include reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A “public health authority” is defined as a U.S. government agency or authority; a state, territory, or their political subdivisions; or Indian tribe that is responsible for public health matters as part of its official mandate. The definition also includes a person or entity acting under a grant of authority from, or under a contract with, a public health agency.⁹ For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as necessary to report all prior and prospective cases of patients who have been exposed COVID-19 or who are suspected or confirmed to have the disease.

• At the direction of a public health authority to a foreign government agency that is acting in collaboration with the public health authority.^4,10

• To people at risk of contracting or spreading COVID-19 if state law or another law authorizes the covered entity to notify such people as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.^4,11

Disclosures to Family, Friends, and Those Involved in Patient Care

A HIPAA-covered entity may share PHI with a patient’s family, friends, or other people identified by the patient as involved in the patient’s care.¹² A covered entity also may share information about a patient necessary to identify, locate, and notify family or anyone else responsible for the patient’s care of the patient’s location, general condition, or death. This may include the police, press, or the public at large.

When possible, the covered entity should get verbal permission from individuals or otherwise should be able to reasonably infer that the patient does not object to disclosure. If the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the best interest of the patient.

If patients are unconscious or incapacitated, and the health care provider determines that doing so is in the best interests of the patient, a health care provider may share relevant information with family, friends, or others involved in the patient’s care or payment for care. For example, a provider may determine it is in the best interests of an elderly patient to share relevant information with the patient’s adult child, but generally the provider could not share unrelated information about the patient’s medical history without permission.

Furthermore, a covered entity may share PHI with disaster relief organizations that are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other people involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

When Can You Disclose to Prevent a Serious and Imminent Threat?

Health care providers may share patient information with anyone who can prevent or lessen a serious and imminent threat to the health and safety of a person or the public—consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.¹³ This means providers may disclose a patient’s health information without permission to family, friends, caregivers, and law enforcement, who may prevent or lessen the threat. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.¹⁴

A HIPAA-covered entity may disclose PHI to a person who is at risk of contracting or spreading a disease or condition if other law authorizes the covered entity to notify such individuals as necessary to carry out public health interventions or investigations. For example, a covered health care provider may disclose PHI as needed to notify people that they have been exposed to a communicable disease if the covered entity is legally authorized to do so to prevent or control the spread of the disease.¹⁵

Disclosing to the Media or Others Not Involved in the Care of the Patient

Generally, except in limited circumstances described elsewhere, it is forbidden to provide affirmative reporting to the media or the public at large about an identifiable patient, or disclosing to the public or media specific information about treatment of an identifiable patient, such as specific tests, test results, or details of a patient’s illness.¹⁶ This may not happen without the patient’s written authorization (or the written authorization of a personal representative who is legally authorized to make health care decisions for the patient).

If the patient has not objected to or restricted the release of PHI, a covered hospital or other health care facility may, upon request, release limited facility directory information to acknowledge an individual is a patient at the facility. The covered entity may also provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released). Covered entities may also disclose information when the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.¹⁷

Limiting Information Disclosure to the ‘Minimum Necessary’

For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to the “minimum necessary” amount to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, a covered entity may rely on representations from the CDC that the PHI requested by the CDC about all patients exposed to or suspected or confirmed to have COVID-19 is the minimum necessary for the public health purpose. Internally, covered entities should additionally continue to apply their role-based access policies to limit access to PHI to only those workforce members who need it to carry out their duties.¹⁸

Aside from disclosures by health care providers for the purpose of providing treatment, the minimum necessary standard applies. Healthcare professionals must make reasonable efforts to ensure that any PHI disclosed is restricted to the minimum necessary information to achieve the purpose for which the information is being disclosed.

When information is requested by a public authority or official, covered entities can rely on representations from the public health authority or official that the requested information is the minimum necessary amount, that reliance is reasonable under the circumstances.

Determining If an Individual Poses a ‘Serious and Imminent Threat’

Minimally, you will need to ask the employee which coworkers they have been in “close contact” with within the prior two weeks. (The CDC defines “close contact” as “a person that has been within six feet of the infected employee for a prolonged period of time.”)¹⁹

Notifying Employees of Potential Exposure

If everyone in your practice has been working from home during the previous two weeks, exposure may be unlikely, but you should still ask if the infected person had contact with any coworkers. You should alert those who have been in close contact with the employee as soon as possible, repeat the advice given on the CDC site for their situation and, of course, direct employees to their own doctors. The law is clear about confidentiality here: You should tell everyone who was possibly exposed at work to the positive employee without revealing that employee’s identity.

Either way, your message is the same: “Someone in our workplace has tested positive for COVID-19, and they have identified you as a close contact according to the CDC definition. We are here to support you. If you are at work, please prepare to leave as quickly as you can. The person tested positive on a certain date and is now self-isolating. The close contacts have been told and were asked to leave the workplace and self-isolate. If you were not already told you were a close contact, then you are not one. If you have questions about COVID-19 or your situation, please call your doctor and look at the CDC website.”

Disclosures of Information About COVID-19 by Entities Not Covered by HIPAA

It is worth noting that HIPAA only applies to HIPAA-covered entities, business associates of HIPAA-covered entities and subcontractors of business associates. There are no restrictions on disclosures of information about COVID-19 by other entities. However, while HIPAA may not apply, other federal and state laws still do.
Health care communications between employers and employees are not governed by the HIPAA Privacy Rules, which would not apply if employees tell an employer they have contracted COVID-19 or are self-isolating because they are displaying symptoms of COVID-19. HIPAA would only apply if an employer is informed about an employee testing positive for the virus by the employer’s health plan.

Roger Shindell is Chief Executive Officer of Carosh. He is also chairman of the Healthcare Information and Management Systems Society (HIMSS) Risk Assessment Work Group and is a member of American Health Information Management Association (AHIMA) privacy and security council. Shindell has more than 30 years of multidisciplinary experience in health care and has served as an advisor and principal in health care, technology, and service companies. He may be reached at rshindell@carosh.com.

1. US Department of Health and Human Services. HIPAA security rule. US Department of Health and Human Services. Reviewed May 12, 2017. Accessed May 21, 2020. https://tinyurl.com/yayfnzo8.
2. US Department of Health and Human Services. HIPAA privacy rule. US Department of Health and Human Services. Reviewed April 16, 2015. Accessed May 21, 2020. https://tinyurl.com/yxop7pcs.
3. Centers for Disease Control and Prevention. Coronavirus disease 2019 (COVID-19). What to do if you are sick. Centers for Disease Control and Prevention. Updated May 8, 2020. Accessed May 21, 2020. https://tinyurl.com/ucdum7c.
4. Bulletin: HIPAA Privacy and Novel Coronavirus. Office for Civil Rights, US Dept. of Health and Human Services. February 2020. Accessed May 21, 2020. https://tinyurl.com/sf2nm5v .
5. Americans with Disabilities Act of 1990, as amended. Equal opportunity for individuals with disabilities. Discrimination. 42 U.S.C. §12112(d)(3)(B), §12112(d)(4)(C), §12112(d)(3)(B)(i)–(iii). Updated June 15, 2009. Accessed May 21, 2020. https://tinyurl.com/y9umez9q.
6. Equal Opportunity Employment Commission. Genetic Information Nondiscrimination Act of 2008. 29 CFR §1635.9. October 30, 2015. Accessed May 21, 2020. https://tinyurl.com/ybo3zogx.
7. US Department of Health and Human Services, Office for Civil Rights. HIPAA administrative simplification. 45 CFR §164.502. March 2013. Accessed May 21, 2020. https://tinyurl.com/ydxmqhy8.
8. US Department of Health and Human Services, Office for Civil Rights. HIPAA administrative simplification. https://tinyurl.com/ydxmqhy8.
9. US Department of Health and Human Services, Office for Civil Rights. HIPAA administrative simplification. 45 CFR §164.501, §164.512(b)(1)(i). https://tinyurl.com/ydxmqhy8.
10. US Department of Health and Human Services, Office for Civil Rights. HIPAA administrative simplification. 45 CFR §164.512(b)(1)(i). https://tinyurl.com/ydxmqhy8.
11. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.512(b)(1)(iv). https://tinyurl.com/ydxmqhy8.
12. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.510(b). https://tinyurl.com/ydxmqhy8.
13. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.512(j). https://tinyurl.com/ydxmqhy8.
14. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.512(j). https://tinyurl.com/ydxmqhy8.
15. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.512(b)(1)(iv). https://tinyurl.com/ydxmqhy8.
16. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.508. https://tinyurl.com/ydxmqhy8.
17. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.510(a). https://tinyurl.com/ydxmqhy8.
18. US Department of Health and Human Services, Office for Civil Rights. HIPAA Administrative Simplification. 45 CFR §164.502(b), §164.514(d). https://tinyurl.com/ydxmqhy8.
19. Centers for Disease Control and Prevention. Implementation of mitigation strategies for communities with local COVID-19 transmission. Centers for Disease Control and Prevention. March 12, 2020. Accessed May 21, 2020. https://tinyurl.com/u3nwo68.