As hospitals, skilled nursing facilities, physician practices, and other health care providers work to address the novel coronavirus (COVID-19) and those impacted or who may be impacted, it is important to understand when these individuals and entities are permitted to share patient information, when they are required to do so, and what limitations exist on disclosures of identifiable health information.
In a February 3, 2020, bulletin, the U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) issued a reminder to covered entities and business associates that the HIPAA protections on patient information remain in place during disease outbreaks and other health emergencies, including COVID-19. While the HIPAA regulatory requirements are not relaxed during the COVID-19 pandemic, the Secretary of HHS has the ability to waive certain provisions of the HIPAA regulations.
Following the declaration of a nationwide emergency with respect to COVID-19, effective March 15, 2020, the HHS Secretary exercised his authority to waive certain sanctions and penalties for hospitals that fail to comply with certain provisions in the HIPAA Privacy Rule. In particular, subject to the limitations described below, the Secretary is waiving penalties related to:
This waiver only applies (i) in the emergency area that is identified in the emergency declaration (in this case, nationally); (ii) to hospitals that have implemented a disaster protocol, and (iii) for up to 72 hours from the implementation of the disaster protocol. With respect to the COVID-19 pandemic, if neither the emergency declaration of the President or the HHS Secretary remains in effect, hospitals must resume compliance with the HIPAA Privacy Rule provisions cited above, or they risk enforcement actions and penalties. However, hospitals and other health care providers are able to apply to HHS to request a waiver of penalties for HIPAA noncompliance if the waiver would facilitate the provider’s service to patients during the COVID-19 pandemic. Under Section 1135 of the Social Security Act, HHS may approve these waivers on a case-by-case basis. Providers should submit Section 1135 waiver requests to both the State Survey Agency (and/or applicable accreditation organization) and their CMS Regional Office.
Notwithstanding the relief provided to hospitals under the circumstances described above, HIPAA sets forth a number of ways in which hospitals and other health care providers may share patient data without the patient’s authorization. Some include:
As health care providers analyze patient information disclosures, they also must keep in mind whether there are any other federal or state law restrictions that limit the information that they can share. For example, certain subsets of a patient’s record may be specially-protected under state law, such as mental health information or HIV/AIDS/sexually transmitted disease-related information, and substance use disorder information and genetic testing information is specially-protected at the federal level. If a patient’s record contains any of these subsets of information, a provider should take care to ensure that a disclosure that includes this data is permissible. Also, hospitals, skilled nursing facilities, and other providers must take care to limit any data disclosures to the minimum necessary to accomplish the purpose of the disclosure. For example, a provider likely will not need to transfer a patient’s mental health information or genetic test results to the CDC when informing the agency of a COVID-19 diagnosis.
In addition, as COVID-19 is a heavily-covered topic in the press, health care providers should take care to ensure that any disclosures to the media, or public postings on a facility’s website or social media accounts, comply with HIPAA and other applicable law. Assuming that the applicable patient has not previously objected or otherwise restricted his or her health information, HIPAA permits limited disclosures without patient authorization to the media and to persons who are not involved in the patient’s care, such as a hospital confirming that a particular person is a patient and providing general information on the patient’s condition, such as whether the patient is in critical condition or whether the patient has been released. As it may be the case that the press already has some information on a particular patient, a skilled nursing facility or hospital needs to ensure that its staff do not inappropriately share additional details above and beyond what HIPAA permits. Further, health care providers must take care in any social media postings or replies not to inappropriately divulge patient data. Disclosures to the press of patient data have been the subject of OCR enforcement actions; training public relations and administrative staff on permissible disclosures, or consolidating media and social media responses to a designated individual or team, may prevent HIPAA violations and OCR enforcement.
While it is important for health care providers to ensure that they are safeguarding patient data, they must simultaneously make sure that they are providing appropriate access to this data. In 2019, OCR announced a Right of Access Initiative, whereby it is focused on ensuring that patients receive prompt access to their medical records in the format of their choice and without being overcharged. Since then, OCR has announced two enforcement actions under this Right of Access Initiative, entering into settlements, each with $85,000 penalties, with two providers who failed to provide timely access to patient information. Health care providers should take care that they are properly responding to a patient’s request for his or her records, providing such access in a timely manner, and charging patients fees that comply with the limitations imposed by HIPAA and state law. In addition, hospitals, physicians, and other providers should take care to provide records to a patient in the format requested; for example, if a provider uses electronic health records and the patient requests an electronic copy of their record, the provider must provide the patient with an electronic copy if the information is readily producible in this format. If providers are outsourcing to vendors their responses to patient access requests, the providers should take care to confirm that their vendors are complying with the applicable HIPAA and state law requirements regarding medical record requests.
It is important to note that, while other state data protection laws may apply more broadly, HIPAA only applies to covered entities and business associates. Persons or entities who do not fall within those categories, including the media and patients’ family members, are not subject to the HIPAA privacy protections and may be able to share data more freely.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.
Government Investigations & White Collar Defense Alert | 04.22.20
Health Care Alert | 04.13.20
Health Care Alert | 04.06.20
Health Care Alert | 03.31.20
Environmental Law Alert | 03.27.20
04.02.20 | Webinar
03.31.20 | Webinar