In light of the Novel Coronavirus (COVID-19) outbreak, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has issued a Bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways that protected information may be shared under the HIPAA privacy rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the privacy rule are not set aside during an emergency. While HIPAA protects the privacy of ”protected health information” (PHI), this is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient (the employee or dependent), to protect the nation’s public health, and to prevent a serious and imminent threat to the health and safety of a person or the public.
Employers need to understand what information they may share under HIPAA’s privacy rule during an outbreak of infectious disease or other emergency situation. HIPAA applies only to “covered entities” and “business associates.” Most employers are not “covered entities” and are therefore not subject to HIPAA as an employer, but employers have concerns under HIPAA if they sponsor a group health plan and receive PHI from the plan. Employers may want to use the COVID-19 concerns as an opportunity to remind those employees with access to PHI of their responsibilities under HIPAA.
Some Health Information is Not PHI
HIPAA applies only to PHI held, created or received by the group health plan. PHI generally does not include individually identifiable health information held by the employer in employment records needed for the employer to carry out its obligations under the FMLA, ADA, and similar laws, as well as files or records related to other employment issues like disability insurance and sick leave request. So while there may be other state or federal privacy rules that apply, HIPAA generally does not apply if the information is not obtained from the group health plan.
Some Disclosures of PHI Allowed
The Bulletin confirms that in an outbreak of an infectious disease such as COVID-19, HIPAA-covered employers will have the same freedom as HIPAA-excluded employers to share employee information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with applicable law. Thus, an employer may disclose an employee’s health information to anyone in a position to prevent or lessen the serious and imminent threat without an employee’s permission. So employers can share information about an employee’s or dependent’s location, general condition, or death, as necessary, to identify, locate, and notify family members, guardians, and other persons responsible for that person’s care. HIPAA does prohibit the disclosure of information regarding the employee or dependent’s condition to the media without his or her consent. But note that the media and the general public are not covered by HIPAA mandates and therefore are not subject to HIPAA restrictions once they have information about an individual who has contracted COVID-19.
Health authorities and others responsible for ensuring public health and safety may need PHI to allow them to carry out their mission, which is to protect the public from disease. Therefore, the HIPAA privacy rule does contain exceptions that would permit employers to share information regarding employees or dependents who have contracted COVID-19 with state and federal public health authorities, such as the Centers for Disease Control and Prevention (CDC) and state and local departments of health.
Minimum Necessary Limits
With respect to all permitted disclosures of PHI, such disclosures are subject to HIPAA’s minimum necessary rule, which provides that shared information should be limited to the minimum necessary amount to accomplish the purpose for which the information is disclosed.
Conner Strong & Buckelew will provide alerts and updates as new information becomes available. Please contact your Conner Strong & Buckelew account representative toll-free at 1-877-861-3220 with any questions. For a complete list of Legislative Updates issued by Conner Strong & Buckelew, visit our online Resource Center.