This week, the HHS Office of Civil Rights (OCR) issued a bulletin (Bulletin) to remind covered entities and business associates that “the protections of the Privacy Rule are not set aside during an emergency.”
The Bulletin’s information on appropriate disclosures and protections under emergency circumstances is especially timely in the wake of the United States’ recent experience with disclosing information about patients diagnosed with and treated for Ebola and enterovirus-d68. Because the HIPAA Privacy Rule only provides a very limited waiver of sanctions and penalties against a covered hospital for acts during a public health or other emergency under the Project Bioshield Act and section 1135(b)(7) of the Social Security Act (and only if the U.S. President declares a public health emergency or disaster and the Secretary of HHS declares a public health emergency), covered entities and business associates cannot afford to abandon HIPAA’s privacy and security mandates.
An easy way for covered entities and business associates to parse the Bulletin’s guidance is to ask the following four questions:
- Who wants the patient information?
- Why does the requestor want the information?
- How urgently does the requestor need the information?
- What patient information can be given (with or without patient consent)?
Who Wants the Information?
This is a threshold question that can greatly limit the types of information that covered entities and business associates may disclose without violating the Privacy Rule. The Bulletin specifically addresses the potential types of information that covered entities and business associates may give to the following classes of individuals and entities:
- Other Health Care Providers
- Family, Friends, and Others Involved in an Individual’s Care (including to Disaster Relief Organizations)
- Public Health Authorities (or a Foreign Government Agency collaborating with the Public Health Authority)
- Persons at Risk of Contracting or Spreading a Disease or Condition
- The Media or Others Not Involved in the Care of the Patient/Notification
If a requestor of a patient’s information cannot fit into any of these categories, chances are, a covered entity or business associate cannot disclose any information to them, or can only disclose very limited information (as dictated by the answer to the last question). In addition, business associates and subcontractors should always consult their Business Associate Agreements to ensure that they do not further restrict the types of individuals and entities to which the business associate or subcontractor may disclose information.
Why Does the Requestor Want the Information?
The first question leads naturally to the second, because HIPAA may only authorize a covered entity or business associate to provide information for specific purposes to a Requestor. The Bulletin specifically addresses the following reasons for disclosing PHI:
- Notification to Family, Friends, and Others Involved in an Individual’s Care
- Notification to Persons at Risk of Contracting or Spreading a Disease or Condition
- For Preventing or Controlling Disease, Injury, or Disability
Thus, as the Bulletin states, “affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is legally authorized to make health care decisions for the patient). (emphasis added). In contrast, providing this information to another treating physician or health care worker as necessary to treat the patient or to treat a different patient involved in the patient’s treatment is permissible without the patient’s authorization. And again, Business Associate Agreements may also further limit the reasons for which business associates or subcontractors may disclose information to others.
How Urgently does the Requestor need the Information?
This third question is a corollary to the second, because the purpose of requesting the information naturally indicates the urgency with which it is needed. Thus, a covered entity or business associate would likely distinguish between information disclosed to a public health authority for “public health surveillance, investigations, or interventions,” such as vital records information, and information provided to that public health authority “as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.” Under either circumstance, state laws, regulations, and case law may provide additional guidance on how to determine the appropriate amount of information to disclose under the circumstances.
What Information Can Be Given (with or without Patient Consent)?
This question is the most important of the four, because with the exception of disclosures to health care providers for treatment purposes, “a covered entity [and business associate] must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose.” Based on this principle, it is better to underdisclose and supplement it with additional information as necessary to meet the Requestor’s needs rather than overdisclose and risk penalties, sanctions, and collateral lawsuits from individuals afterwards. In the same vein, it is imperative to make all reasonable efforts to obtain a patient’s (or his or her authorized representative’s) consent before making a final decision about disclosure.
With comprehensive answers to the first three questions, experienced privacy officers, in-house counsel, and outside counsel can make informed judgments about what patient information may be disclosed. More importantly, covered entities and business associates should use these questions to guide the creation of any policies and procedures for disclosing patient information during public health emergencies, but should also consult OCR’s Emergency Situations: Preparedness, Planning, and Response site as well as the FAQs.