Novel Coronavirus Outbreak Leads to HHS Covered Entity HIPAA Data Sharing Provision Warning

The Department of Health and Human Services has released a bulletin to make HIPAA-covered bodies of the methods for sharing patient information during outbreaks of infectious disease and other emergency situations, due to the recent Novel Coronavirus (2019-nCoV) epidemic.

In the news release, the HHS confirms that at such times, the protections of the HIPAA Privacy Rule still apply and healthcare groups must continue to apply administrative, technical, and physical security measure to ensure the confidentiality, integrity, and availability of protected health information (PHI).

Under the HIPAA Privacy Rule, covered groups are allowed to share patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for medical treatment.

In situations when patients are suffering an infectious disease such as 2019-nCoV, there is a genuine need for data to be shared with public health authorities and others responsible for ensuring public health and safety. Those groups may need to be supplied with PHI to allow them to carry out their public health missions. In such instances, the HIPAA Privacy Rule allows covered entities to share PHI with those entities and individual authorizations are not necessary.

That includes sharing private personal information with the Centers for Disease Control and Prevention (CDC) and state and health departments authorized by law to be sent information to prevent or control disease and injury. Directed by a public health authority, PHI may also be shared with foreign government agencies that are operating with public health bodies. Data can also be shared with people believed to be in danger of contracting or spreading disease, if other law, such as state law authorizes the covered entity to notify such persons to help prevent the spread of disease or to carry out public health inquiries.

PHI can also be shared with friends, family members, and other individuals involved in the care of a patient, including sharing data about a patient, as required, to identify, locate, and notify family members, guardians, and others responsible for the patient’s treatment, of the patient’s location, general condition, or death.

AT times like this, verbal permission should be obtained from the patient or it can be reasonably inferred that the patient does not have a complaint. If a patient is incapacitated, then professional judgement should be used as to whether the sharing of private information is in the patient’s best interest.

Patient information may also be shared to eliminate or lessen a serious or imminent threat to the health and safety of a person or the public, consistent with applicable legislation. Generally speaking, providing specific information about an identifiable patient to the media or public at large is not allowed.

All allowable sharing of patient information are subject to the minimum necessary rule. Shared information should be restricted to the minimum necessary amount to accomplish the aim for which information is shared.

Author: Security News