Exceptions Under the HIPAA Privacy Rule for Disclosure of PHI Without Patient Authorization
The Novel Coronavirus (COVID-19) has presented the healthcare industry with an abundance of issues and questions, most of which revolve around public health and safety. Recognizing the wide-reaching effects of COVID-19, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS)—which enforces HIPAA—issued a bulletin that provided guidance on how covered entities and business associates may share protected health information (PHI) under the HIPAA Privacy Rule, without a patient's authorization, during a public health emergency. Published on February 3, 2020, the bulletin also reiterated that the HIPAA Privacy Rule has always allowed protected health information (PHI) to be shared without patient authorization under certain circumstances. We outline the key points of the OCR's guidance below.
Preventing a Serious and Imminent Threat
PHI may be disclosed as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public based on the health care provider's professional judgment under 45 CFR 164.512(j). The disclosure may be to anyone in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement.
Treating the Patient
PHI may be disclosed as necessary to treat the patient, or to treat a different patient. Treatment includes the coordination or management of health care and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.
Ensuring Public Health and Safety
PHI may be disclosed to public health authorities, such as the Centers for Disease Control and Prevention or a state or local health department, which are authorized to collect or receive such information for the purpose of preventing or controlling disease, injury or disability. This allows disclosure of prior, current, and prospective patients diagnosed with COVID-19; PHI may be disclosed at the direction of a public health authority; and to persons at risk of contracting or spreading COVID-19 so long as state law authorizes the disclosure.
Notifying Family, Friends, and Others Involved in Care
PHI may be disclosed to a patient's family, friends, or other persons identified by the patient as involved in the patient's care, as well as to the police, press, or public. Verbal permission from the patient should be obtained if possible. However, if the patient is incapacitated, then the PHI disclosure should be made based on professional judgment and limited to only necessary and related information. Patient permission is not necessary for disclosures to disaster relief organizations for the purpose of coordinating these family, friend, and caretaker notifications, if doing so would interfere with the organization's ability to respond to the emergency.
Notifying Media and the Public
Disclosure of Specific, Detailed PHI
Health care providers should obtain a written HIPAA authorization from the patient or the patient's legally authorized representative before disclosing specific, detailed PHI to the media or the public.
Disclosure of Basic, General PHI
If the patient has not objected to or restricted the release of PHI, health care providers may disclose basic information about the patient's general condition (e.g., stable or critical) upon request about a particular patient. If the patient is incapacitated, PHI may be disclosed if it is in the best interest of the patient and consistent with any prior expressed preferences of the patient.