HHS reminds covered entities of HIPAA applicability during coronavirus outbreak

The Department of Health and Human Services (HHS) sent out a bulletin on February 3 to remind hospitals of information-sharing protocols when dealing with an outbreak of infectious disease or an emergency situation such as the novel coronavirus.

As HHS noted, the HIPAA Privacy Rule safeguards patients’ protected health information (PHI), but also states that information may be disclosed when necessary to “treat a patient, to protect the nation’s public health, or for other critical purposes.”

HHS provided examples of circumstances when covered entities (CE) are permitted to share PHI without authorization from the individual. For instance, CEs can disclose PHI to the Centers for Disease Control and Prevention to report all prior and prospective cases of patients confirmed or suspected to have novel coronavirus. Healthcare organizations may also disclose PHI to a foreign government agency that Is working in collaboration with a public health authority.

Additionally, healthcare providers can share patient information to anyone who is in position to prevent or lessen a “serious and imminent threat.” This could include family, friends, caregivers, and law enforcement.

Generally, disclosure of PHI to the media is not appropriate, according to HHS.

In any disclosure, CEs must consider the “minimum necessary” rule, which mandates that shared information be limited to what is the minimum necessary to accomplish the purpose.