The current COVID-19 pandemic has challenged the United States in many ways. Understanding how to respond to and control the virus includes studying the data of persons who were infected with the virus. Sharing this type of data for research and public health purposes almost immediately raises security and privacy issues because medical information is among the most sensitive types of personal information.
- HIPAA: The Privacy Rule & The Security Rule
- Exceptions to HIPAA During COVID-19
- Privacy, HIPAA, and COVID-19
- About the Author
- More on Legal and Privacy Issues
HIPAA: The Privacy Rule
The Privacy Rule was designed to allow consumers to control the use of their health information. Under the Privacy Rule, covered entities like doctors’ offices and hospitals may not use or disclose a patient’s protected health information without their permission. There are few exceptions to the basic rule that allow use or disclosure without patient consent. Unless an exception applies, a patient must specifically consent to a use or disclosure that is not permitted by the Privacy Rule.
HIPAA: The Security Rule
The Security Rule requires covered entities to use security safeguards that protect the confidentiality, integrity, and availability of electronically protected health information. Since so much information is stored electronically these days, the Security Rule provides a set of minimum requirements that must be met to secure electronic protected health information.
HIPAA & COVID-19
The COVID-19 global pandemic has led to questions about the applicability of HIPAA in response to a healthcare crisis. For instance, could the Security Rule’s confidentiality requirements be suspended in order to allow increased access to telemedicine for patients suffering from COVID-19 symptoms? And what are the limits of uses and disclosures of patient-protected health information for public health reporting and contact tracing? The OCR has provided numerous pieces of guidance to help health care providers navigate the complex regulatory landscape surrounding HIPAA. In issuing such guidance, the director of the OCR has said that the OCR is “... empowering medical providers to serve patients wherever they are during this national public health emergency.”
Exceptions to HIPAA During COVID-19
Despite its general prohibition on the use or disclosure of protected health information without patient consent, some exceptions are allowed. One of those exceptions is use or disclosures of protected health information made for public health and safety activities. Public health is the branch of medicine that is concerned with the health of a community of people. A public health authority is a state or federal agency that is responsible for public health matters. For example, a state or local health department is a public health authority, as is the federal Centers for Disease Control and Prevention (CDC). This exception has been of great importance since the beginning of the pandemic, allowing health departments to track the spread of the virus.
The Privacy Rule allows healthcare providers to provide protected health information to public health authorities for the purpose of preventing or controlling the disease. Guidance from the OCR specifically noted that covered entities may report “all prior and prospective cases of patients exposed to or suspected or confirmed to have [COVID-19].”Many states have laws that require healthcare providers to report the transmission of certain communicable diseases to public health authorities so that transmission of the disease can be tracked and curtailed. In addition, the Coronavirus Aid, Relief, and Economic Security (CARES) Act requires every lab that performs or analyzes a COVID-19 test to report the results of each test to state or local public health departments to ensure rapid investigations of known or suspected cases of the virus.
How healthcare is delivered has changed markedly during the pandemic as well, especially as hospitals became overwhelmed with COVID-19 patients, and “social distancing” is practically de rigueur. During the first quarter of 2020, when COVID-19 was beginning to spread in the United States, the CDC reported a 50% increase in telemedicine visits compared to the same period the previous year. During the last week of March, telemedicine health visits, where clinical care is provided remotely through a communications service, increased 154% from the previous year.
The CDC surmises that the increase in telemedicine visits during that week in particular coincided with the OCR announcing that it would waive penalties for potential HIPAA violations against health care providers that used remote, one-to-one video communications services to offer telemedicine visits to patients during the COVID-19 public health emergency. While healthcare providers were encouraged to use technologies with strong security capabilities, the guidance from OCR noted that providers would not be penalized for using less secure technologies in a good faith effort to provide timely and accessible care during a health emergency.
Privacy, HIPAA, and COVID-19
Privacy concerns about COVID-19 contact tracing and the applicability of HIPAA have also been raised during the pandemic. Long used to track and slow the spread of communicable diseases, contact tracing is the process of identifying people who may have come into contact with a person with an infectious disease. People who have been in close contact with an infected person are identified through interviews with infected patients, are notified of the exposure, and provided with guidance about the need to seek medical attention or quarantine. Contact tracing programs do not have to be provided by healthcare professionals. In fact, contact tracing is often provided by public health agencies or by research organizations. In our modern times, contact tracing can even be facilitated by an app on a person’s mobile device. In many instances, the HIPAA Security and Privacy Rules do not apply to contact tracers because many of them are not HIPAA-covered healthcare providers under HIPAA. However, if a contact tracer is a HIPAA-covered healthcare provider, then the privacy requirements of HIPAA may apply. An exception exists to allow disclosure of protected health information to persons at risk of spreading the disease if state law allows a healthcare provider to make such a disclosure to control the spread of disease.
While medical information is among the most sensitive types of personal information and is protected by the provisions of HIPAA, the current COVID-19 health emergency has shown that flexibility and discretion exist within the law. HIPAA's exceptions that allow protected health information to be disclosed without consent to promote public health and stop the spread of disease, and the Office of Civil Rights’ exercise of HIPAA enforcement discretion to allow telemedicine practices, have helped the country respond to the pandemic.
To learn more about the Health Insurance Portability and Accountability Act, see chapter 6.
About the Author
Joanna Lyn Grama - JD, CISSP, Vantage Technology Consulting Group, Associate Vice President. Grama is an Associate Vice President at Vantage Technology Consulting Group. She has more than 20 years of experience in higher education with a strong focus on law, IT security policy, compliance, governance, and data privacy issues.