OCR details rules for sharing patient info during coronavirus outbreak
In the wake of the novel coronavirus outbreak, the HHS Office for Civil Rights is detailing how patient information can be shared to protect public health under the HIPAA privacy rule.
HIPAA applies only to covered entities and business associates. Under the privacy rule, covered entities may disclose, without patient authorization, protected health information (PHI) about the patient as necessary to treat, according to OCR.
This treatment includes the coordination or management of healthcare and related services by one or more providers, which could include consultations between providers as well as the referral of patients.
In the interest of public health, the privacy rule recognizes the legitimate need for public health authorities and others ensuring health and safety to have access to PHI necessary to carry out the public health mission.
Consequently, the privacy rule permits covered entities to disclose needed PHI without individual authorization to a public health authority such as the Centers for Disease Control or a health department authorized by law to collect and receive information to prevent or control disease. This would include reporting of disease or injury; vital events such as births or deaths; and conducing public health surveillance, investigations or interventions.
A public health authority further could provide health information to a foreign government agency in collaboration with the public health entity.
The OCR also supports disclosures of health information to family, friends and others involved in an individual’s care. For example, information can be shared to identify, locate and notify not just family members but also guardians and anyone else responsible for a patient’s care. This notification could include police, the press or the public at large.
A covered entity should obtain verbal permission from a patient or be able to reasonably infer that the patient does not object, when possible.
If a person is incapacitated or not available, covered entities can share information if in their professional judgment doing so is in the patient’s best interest.
For example, a provider may determine that the best interests of a patient would be to share relevant information with the patient’s adult child, but generally the provider could not share unrelated information about the patient’s medical history without permission.
Finally, HIPAA enables covered entities to share protected health information with disaster relief organizations to coordinate notification of family members or others caring for the patient, of the patient’s location general condition or death. In a disaster situation, it is not necessary to get patient permission to share information, if doing so could interfere with an organization’s ability to respond to the emergency.