security and privacy over chat

Many healthcare organizations may be confused about the HIPAA Privacy Rule during Coronavirus. To be clear, the HIPAA Privacy Rule — which protects patients’ protected health information (PHI) — is not waived because of the Coronavirus COVID-19 pandemic. 

However, the Office of Civil Rights (OCR) is aware that during an infectious disease outbreak — such as COVID-19 — it may be necessary to disclose a patient’s PHI without their written permission in order to treat them or protect the public health.

Therefore, certain provisions of the HIPAA Privacy Rule regarding the disclosure of patients’ PHI without their written authorization can be waived without sanctions or penalties in specific instances during a national Public Health Emergency. 

Let’s unpack this to answer the most common questions healthcare organizations are asking about when a patient’s PHI can be disclosed without their written authorization during the COVID-19 Public Health Emergency.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule protects the security and privacy of peoples’ Personal Health Information (PHI). When a patient’s Personal Health Information is in electronic form, it’s called ePHI. 

The HIPAA Privacy Rule provides the standards for healthcare companies to completely protect any PHI or ePHI that’s collected, processed, transmitted, or stored, and make sure that patients can access it and amend if it is incorrect or has become corrupted due to identity theft or errors. 

If your organization has contact with PHI in any way, you have to develop privacy procedures and policies that adhere to the privacy rule and use authorizations as instructed by the HIPAA. Otherwise you risk a HIPAA violation which can subject you to fines and penalties.

Can we disclose PHI without patient authorization for treatment purposes?

Yes. Covered entities and business associates are allowed to disclose PHI if it’s necessary to treat the patient — or any other patient — without a patient’s authorization. 

Treatment includes:

  • Coordination and management of healthcare services by one or more healthcare providers
  • Consultation between healthcare providers
  • Referral of patients for treatment

See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), 164.501.

Can we disclose PHI without patient authorization to public authorities?

Yes. Covered entities and business associates may disclose PHI without written authorization to public health authorities such as any local or state health department, the CDC, a foreign government agency that is collaborating with a public health authority, or any person or entity who has been granted authority from or is under contract with a public health agency.

See 45 CFR §§ 164.501 and 164.512(b)(1)(i)

Can we disclose PHI without patient authorization to someone who might have COVID-19?

Yes. If state law or any other relevant law permits, covered entities can disclose PHI without written authorization to anyone who may have been exposed to COVID-19 or is at risk of contracting or spreading COVID-19. They may also disclose PHI to anyone who they believe can prevent or reduce a serious health threat to a person or to the public by receiving the PHI in question.

See 45 CFR §§ 164.512(b)(1)(iv).

Can we disclose PHI without patient authorization to family and friends?

Yes. Covered entities and business associates are allowed to share PHI without written authorization with family, relatives, friends, or any other person involved with the patient’s care. They can also share PHI if they need to when trying to find and notify family members, guardians, or people responsible for the patient — to inform them about a patient’s location, condition, or death. This can even include the police, the press, or public at large if it’s necessary in an emergency situation.

Covered entities should at least try and get verbal permission from patients or be able to reasonably infer that a patient wouldn’t object. But if a patient is incapacitated or not available, covered entities can share PHI if they believe it’s in the patient’s best interest.  

See 45 CFR §§ 164.510(b).  

Can we disclose PHI without patient authorization to the media or public at large?

No. Unless excepted as outlined above, information about an identifiable patient e.g. tests, test results, or illness details, cannot be disclosed to the media or public at large without the patient’s written authorization, or the written authorization of the person legally authorized to make healthcare decisions for the patient. 

However, if a patient hasn’t specifically objected to the release of PHI, a covered entity may release limited facility directory and basic information about a patient’s condition, such as “critical, stable, deceased, or treated and released.” 

See 45 CFR §§ 164.510(a)

Are there any other HIPAA restrictions or changes we should be aware of?

HIPAA Security Rule 

Covered entities and business associates must continue to apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information (ePHI) to protect patient information against intentional or unintentional impermissible uses and disclosures — except as permitted by the HIPAA telehealth penalty waiver for healthcare providers. 

COVID-19 HIPAA Telehealth Penalty Waiver for Healthcare Providers

Healthcare providers — specifically — won’t be subject to sanctions or penalties if they violate certain HIPAA Privacy, Security, and Breach Notification Rules when providing telehealthcare in good faith during the COVID-19 nationwide Public Health Emergency.

Minimum Necessary Requirements 

Covered entities and business associates still need to be careful to comply with HIPAA’s minimum necessary requirements. PHI disclosure should only be the minimum amount of information required to accomplish the purpose of the disclosure. But minimum necessary requirements do not apply to disclosures to healthcare providers for treatment purposes.

Other Applicable State and Federal Laws 

There may be other state or federal laws that apply to the disclosure waiver granted under a public health emergency. All covered entities and business associates governed by the HIPAA Privacy Rule should make sure they are up to speed on relevant local laws that may restrict disclosure of PHI during the COVID-19 pandemic.

Real-time OCR Announcements Related to COVID-19

Healthcare providers who are covered under HIPAA need to be aware of ongoing announcements related to HIPAA, Civil Rights, and COVID-19 on the HHS website as we run up against potential Civil Rights challenges while navigating our way through this pandemic. 

Contact SnapEngage to learn how we can help you stay HIPAA compliant during and after COVID-19

SnapEngage’s HealthEngage is the world’s first HIPAA compliant live chat. Our COVID-19 Coronavirus Symptom Checker Bot offers a sequence of questions and answers to help patients understand their options and staff to answer questions quickly. Download our Guide to HIPAA-Compliant Chat and ensure that your business is compliant and protected throughout coronavirus and beyond.