The Novel Coronavirus (2019-nCoV; COVID-19) continues to spread, and news changes moment by moment on its impact to our social ecosystems. This is especially the case for the healthcare industry, which is facing mounting pressures involving the ability to offer testing, to ensure appropriate access to healthcare facilities, and to provide adequate space and equipment for treatment. As healthcare providers and their vendors address these concerns, they must also continue to protect patient information, which could include information about the disease and those who have it.

HIPAA covered entities and business associates must share information to ensure adequate treatment and related activities, but they can only do so within the requirements of the HIPAA Privacy and Security Rules and any applicable state laws (that provide greater protections than HIPAA). The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) recently issued guidance to remind covered entities and business associates that HIPAA protections under the Privacy Rule remain in place, even during an outbreak of infectious disease or other emergency situations. This guidance may be found at: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.

There are a number of ways in which covered entities and business associates may share protected health information (PHI) and still comply with the Privacy Rule (see 45 CFR § 164.500 et seq.):

1. Treatment—It is critical that our healthcare systems have information for treatment purposes. The Privacy Rule allows the use and disclosure of PHI, without patient authorization, as needed to treat the patient or to treat a different patient. Treatment includes coordination of healthcare and related services as well as consultation among providers or patient referrals for treatment.
2. Public Health Activities—Public health authorities have legitimate needs to access PHI needed to carry out their public health missions. Accordingly, the Privacy Rule allows covered entities and business associates to use and disclose PHI without individual authorization: (a) when providing PHI to a public health authority, such as the Centers for Disease Control and Prevention (CDC) or state or local health department to prevent or control disease, injury, or disability; (b) at the direction of a public health authority, when providing PHI to a foreign government agency acting in concert with the health authority; or (c) when providing PHI to persons at risk of contracting or spreading the disease.
3. Individuals Involved in Patient’s Care—Covered entities and business associates may share PHI with a patient’s family members, relatives, friends, or others identified by the patient as being involved in the patient’s care. This includes sharing of PHI to identify, locate, or notify family members or others. When possible, the covered entity or business associate should get verbal permission from individuals or be able to reasonably infer that the patient does not object to the sharing of information. If a patient is unconscious or incapacitated, a healthcare provider may share relevant information if the provider feels doing so is in the best interest of the patient. However, such sharing of information should be limited to what is needed for the provider to make adequate decisions for the patient.
4. Serious and Imminent Threats—Healthcare providers may share PHI as needed to prevent or minimize a serious or imminent threat to the health and safety of a person or the public. This should be done consistent with other applicable law as well as the provider’s standards of ethical conduct.

In general, covered entities and business associates cannot share specific information or results with the media or public about a patient without the patient’s authorization. However, a provider may collect information about a patient to include in a patient directory, which may be publicly available, so long as the patient has not objected to or restricted the release of her PHI. This can include the patient’s name, room location, and general terms about the patient’s condition. It cannot include specific medical information about the patient.

Even if a covered entity or business associate is able to share PHI in one or more of these situations, it must make reasonable efforts to limit the information used or disclosed to the minimum necessary information needed to accomplish the purpose of the use or disclosure. And the provider or organization must continue to implement reasonable safeguards to prevent intentional or unintentional uses and disclosures of PHI that are not permitted under the Privacy Rule. This includes continued compliance with the administrative, physical, and technical safeguards under the Security Rule.

HIPAA only applies to covered entities and business associates. Persons or organizations who do not qualify for that status may not be subject to HIPAA restrictions, but may remain subject to other state or federal privacy rules or prohibitions. When dealing with healthcare information, all persons or organizations should ensure that they are aware of their obligations under applicable law.

All persons and organizations should also remain informed about the latest news and activities involving COVID-19, which may be found at: https://www.cdc.gov/coronavirus/2019-ncov/about/index.html.