COVID-19 and Patient Information Disclosure and Reporting
Federal health care privacy laws, most notably privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), permit covered entities to disclose information concerning COVID-19 victims in some circumstances. These “covered entities” include health care providers, health insurers, and employer-funded health plans. State-mandated restrictions and reports concerning infectious diseases also are permitted under HIPAA.
Existing HIPAA provisions allow disclosure of information concerning COVID-19 victims for treatment purposes, to family and friends involved in the infected person’s care, in circumstances suggesting an imminent danger to the infected individual or to others, or to business associates acting on behalf of or for the benefit of the covered entity. The Secretary of Health and Human Services has the power to waive restrictions on disclosure, but has not done so as yet. The Secretary has, however, waived other restrictions on hospitals that have instituted disaster protocols and loosened some standards regarding telemedicine.
The Promotion of Telemedicine
The Office of Civil Rights for the Department of Health and Human Services (OCR), the federal agency that enforces HIPAA, announced yesterday that it would not impose penalties on health care providers for using technology for telemedical interactions with patients that are not compliant with HIPAA security rules. The announcement specifically referenced audio or video communication technology that is “non-public facing”: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype.
Clinicians should apprise their patients of the privacy and security risks posed by these platforms, and employ additional security measures when possible, but OCR will not sanction good faith use of these platforms when in the exercise of professional judgment the provider renders care by these means. Facebook Live, Twitch, TikTok, were characterized as “public-facing” and should not be used by health care providers.
The Center for Medical and Medicaid Services also announced yesterday a decision to loosen licensure and prior relationship requirements on reimbursement for telemedical services.
Additionally, the Drug Enforcement Agency’s yesterday approved the prescription of controlled substances following telemedical examinations, dispensing with face-to-face examination requirements for the duration of the public health emergency.
72 Hour Waiver for Hospitals
Effective March 15, 2020, Secretary Azar of the federal Department of Health and Human Services has exercised his authority to waive sanctions and penalties against hospitals for 72 hours following institution of a hospital’s disaster protocol. The waiver applies to HIPAA Privacy Rule requirements:
- to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. 45 CFR 164.510(b).
- to honor a request to opt out of a facility directory. 45 CFR 164.510(a).
- to distribute a notice of privacy practices. 45 CFR 164.520.
- to grant a patient’s request for privacy restrictions. 45 CFR 164.522(a).
- to grant a patient's request for confidential communications. 45 CFR 164.522(b).
Public Health Reporting
HIPAA permits disclosures concerning communicable diseases to public health authorities under HIPAA’s provisions concerning disclosures that are “required by law.” Public health authorities may be federal, such as the Centers for Disease Control and Prevention, or local, like a county health department. Specific rules will apply to specific categories of health care providers; e.g., hospitals, laboratories, long-term care facilities.
This is a good time to remember that business associates also are subject to HIPAA’s restrictions on the disclosure of identifiable health information. Particularly as regards to electronic health information, business associates must observe most of the security standards demanded of covered entities. This is a good time to review, or put in place, required policies and procedures.
There is no special dispensation for the media under HIPAA’s prohibition against disclosures of identifiable health information. The information a facility may disclose concerning a patient or resident (unless that patient or resident has objected) is limited to “status” information (condition is “stable,” “good,” etc.) and when the provider believes the release of such information is in the individual’s best interests. Specific health information should not be shared.
Given their care of especially vulnerable, elderly populations, long-term care facilities (e.g., assisted living, nursing, or rehabilitation facilities) operate currently under enhanced restrictions by the state. Access to residents and patients is being restricted. Reporting of “novel influenza” is mandatory. Staff or vendorspresenting with concerning information or symptoms will be denied access to a facility, and visitors are being turned away except in the case of patients at the end of life. Facilities are posting notices to visitors concerning preventative policies and measures.
The governors of both Oregon and Washington have declared a state of emergency and issued by executive order restrictions on gatherings of 25 or 50 or more persons, respectively, for social, spiritual, and recreational purposes. The restrictions in Washington are currently effective through March 31, 2020. In Oregon, the restrictions are in force until April 8, 2020. Both sets of emergency restrictions are enforceable by criminal sanctions.