While preparing and treating patients that have or might have novel Coronavirus (2019 nCoV), it is important to remember your patient’s privacy rights. HIPAA permits the sharing of patient’s protected health information (PHI) for public health activities such as this without patient authorization.
With whom and when can you share PHI for public health activities? Generally, PHI can be shared with:
- entities that are permitted by law to collect and receive health information for the purpose of preventing or controlling diseases such as the CDC or a state or local health department,
- organizations such as the American Red Cross,
- others at risk of contracting or spreading a disease or condition if state law authorizes the covered entity to notify others as necessary to prevent or control the spread of the disease. This includes notifications to and from first responders with nursing homes, emergency departments, and other healthcare providers, and
- others involved in the patient’s care such as family and friends. Providers should use their professional judgment here and obtain verbal consent from the patient, if possible.
PHI should not be shared with the media or others not involved in a patient’s care without the patient’s authorization.
The HIPAA minimum necessary standard still applies to the use and disclosure of PHI. The U.S. Department of Health and Human Services says that entities may rely on representations from the CDC or other public health departments that the PHI requested by them about all patients exposed to or suspected or confirmed to have novel coronavirus (2019-nCoV) is the minimum necessary. In addition, a covered entity should continue to limit access to PHI to only those workforce members who need it to carry out their duties.
Does your practice need a refresher on basic HIPAA training? Planning ahead now can mitigate the risks associated with noncompliance.