How does privacy law come into play when a pandemic hits? Do the rules change? How do business associates and covered entities know when and where they can share PHI related to the pandemic? Let’s discuss so that you know the impact to your organization.
HIPAA Privacy Rule and Pandemics
The HHS recently released a memo that explains how the HIPAA Privacy Rule balances protection of PHI with protection of national public health. During pandemics like the coronavirus, the HHS outlines the unique disclosure permissions in the HIPAA Privacy Rule:
- Treatment – Covered entities may disclose, without a patient’s authorization, PHI about the patient as necessary to treat the patient or to treat a different patient.
- Public Health Activities – Covered entities may disclose, without a patient’s authorization, PHI about the patient when it is legitimately required by public health authorities to carry out their public health mission.
- Disclosures to Family and Friends – Under specific scenarios outlined by the HIPAA Privacy Rule, a covered entity may share PHI with a patient’s family members, relatives, friends, or others involved in the patient’s care.
- Preventing Serious and Imminent Threats – Covered entities may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
- Disclosures to the Media – Reporting to the media or the public at large about an identifiable patient or their treatment is not permitted without the patient’s written authorization.
- Minimum Necessary Disclosures – Covered entities must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary.”
For business associates, the main impact will potentially be requests from their covered entity to facilitate PHI disclosures to local, state, and federal health authorities as well as to friends and families of patients. For covered entities, a point of focus should be involving and preparing their Privacy and Compliance Officers to ensure proper disclosures and minimum necessary standards are being followed.
If you are a business associate or covered entity impacted by the HIPAA Privacy Rule, we encourage you to study the DHHS’ memo to reacquaint your organization with the unique disclosure permissions caused by a pandemic.
GDPR and Pandemics
Will coronavirus test Europe’s commitment to privacy? GDPR does allow for the temporary suspension of privacy requirements for certain crises like this pandemic. Article 9 addresses how long the information can be stored and where, who has access to it, and when the data should be purged after the crisis passes.
Some European countries have adopted their own guidance on privacy in the time of the coronavirus – Italy has adopted Civil Protection Ordinance No. 630 to temporarily lift restrictions on sharing personal data related to public health issues. France has published guidelines for data sharing and data retention related to coronavirus response. Germany’s Federal Data Protection Act addresses processing special categories of personal data.
Your Response to Coronavirus
In times like this, we never want your organization to feel uncertain about your privacy practices. If your Privacy or Compliance Officers have questions about how to handle this pandemic, don’t hesitate to reach out. We do not want you to just survive this crisis. We want you to emerge stronger and more secure on the other side of it.