Expert HIPAA advice to empower you against the coronavirus

As of yesterday evening, we have had 188,000 confirmed cases of COVID-19 infections spread across 50 states. An alarming number. 

The first against the coronavirus is now, in effect, a war against spreading infections and the mounting death toll. The infections are showing no signs of subsiding; New York alone has 76,000 cases. For California, it’s 7600. 

The US healthcare system is now stressed to its peak. Under these dreadful circumstances, can Covered entities continue to comply with HIPAA laws without compromising with patient care? 

In the article below, we will look at the major HIPAA challenges that healthcare providers are currently struggling with; and how the Health and Human Services (HHS) is helping them through. We’ll take a deeper look at the following list of challenges. 

  • Can you share the PHI of a person infected with coronavirus?
  • The circumstances in which can you share or disclose the PHI
  • Can you tell the family or friends of a patient, if he or she has been infected by the coronavirus disease?
  • How to collaborate with other providers and the public agencies? 
  • Can a patient restrict you from sharing their condition?
  • How to deal with PHI requests from first responders, prison officers or law enforcement agencies?
  • Can you use telehealth services for communicating with your patients? 

Using Patient Health Information (PHI)

Under such dreaded circumstances, it may feel natural to use or disclose patient health information at your discretion and without patient’s consent. Beware! You cannot do so. Sharing of patient information is still guided by the HIPAA. All healthcare providers, covered entities or business associates must remain compliant with the privacy and Security rule under all circumstances. 

The HIPAA privacy rule, however, allows the healthcare providers to use or disclose PHI for critical purposes, such as for treating patients and ensuring public safety. 

Covered entities can disclose PHI, without a patient’s consent, if it’s necessary for the treatment of a patient, or if the disclosure can safeguard public health or safety. Business Associates may also be able to disclose the necessary information on behalf of the covered entity, as long as the disclosure is permitted within the parameters of their Business Associate Agreement. 

For details of the PHI that you can share, you can read the HHS OCR bulletin released in February. 

Disclosing PHI of COVID-19 patients

As per the HHS OCR guidance released on March 24, a covered entity CAN share the name and other identifying information of people infected with or exposed to the coronavirus disease under certain permitted circumstances. They can share the PHI of such individuals with:

  1. First responders, such as paramedics and the law enforcement, and
  2. Public health authorities, such as the CDC.


This also includes officials of a correctional institute or a law enforcement officer having lawful custody of another person. 

Note: Patient’s HIPAA authorization is not necessary under emergency circumstances.

Permitted Circumstances

Covered entities can share the PHI of persons infected or exposed to the coronavirus disease under certain circumstances, such as:

  1. When the disclosure is necessary for providing treatment – You can disclose patient information to first responders, so they can provide emergency treatment to a COVID-19 patient.
  2. When it’s required by law – You can notify public officials, if an individual under your care has tested positive to COVID-19, but only if the state law requires that you do so. 
  3. When first responders may be at-risk of infection- You can disclose a patient’s PHI to a first responder on duty, if they may have been exposed to COVID-19, or may be at risk of exposure to a person with COVID-19, while conducting an investigation or answering a call. However, the disclosure must be in line with the state laws.
  4. When the disclosure to the first responder can prevent or lessen a threat of COVID-19 infection – You can disclose the PHI to a first responder, if you believe that such a disclosure can protect the health and safety of an individual or the public. 
  5. When the disclosure could help a prison or a law enforcement official having the custody of a person – You can share the PHI of COVID-19 infected (or suspected) inmate or a person if it’s needed for: 
    1. Providing care.
    2. Health and safety of others, including inmates and employees.
    3. Maintaining the safety, security and good order of the correctional facility.
    4. Law enforcement on the premises.

Permitted Disclosures

In general, healthcare providers can disclose PHI under the following conditions. They can:

  1. Disclose PHI when it’s necessary to treat the patient or to treat another patient.
  2. Disclose PHI to public health authorities and persons at risk of contracting or spreading the disease if authorized by law.
  3. Disclose PHI – at the direction of a public health authority – to a foreign government agency.
  4. Share the PHI with the patient’s family, friends, and other persons who are involved in the care of the patient. 
  5. Share PHI with the person at risk of contracting or spreading the disease
  6. Share PHI with anyone in order to prevent or lesson a serious and imminent threat to public health and safety. 


Sharing Information with the CDC

The HHS bulletin explicitly states that the covered entities can share necessary PHI with the public agencies, such as the Centers for Disease Control and Prevention (CDC) or state or local health authorities when the disclosure is expected to prevent or control the spread of disease. They can also share the PHI with disaster-relief organizations too. 

Privacy restrictions and Patient rights

Last week, Alex Azar, the US Secretary of the HHS declared further relaxation to the HIPAA laws. The HHS has removed some provisions of the HIPAA law to ensure that hospitals can continue to attend to the coronavirus crisis without any hurdles. These waivers would allow patient information to be shared for treatment, including coordinated, public health activities, and for preventing or lesson a serious and imminent threat. The following provisions have been waived off. As per the waivers: 

  1. Patient’s agreement is not required for speaking with their family members, relatives or friends involved in his or her care.
  2. Providers are no longer required to honor a patient’s request to opt out the facility directory.
  3. It is not compulsory to distribute a notice of privacy practices.

The following patient rights have also been waived off

  1. Patient’s right to request privacy restrictions.
  2. Patient’s right to request confidential communication.

For now, the waivers apply only to providers located in the emergency areas identified in the public health emergency declarations and to hospitals that have implemented disaster protocols for 72 hours.  

Besides these waivers, the HHS has stressed that during the coronavirus emergency patient health information can be shared for public health and safety. This includes the reporting of disease or injury and the reporting of vital injuries, such as birth and death; and conducting public health surveillance, investigation and intervention. 

Minimum Necessary Rule

The disclosures must still not violate the ‘minimum necessary’ rule of the healthcare law, unless required by law or necessary for patient treatment. The minimum necessary rule applies equally to all disclosures made under the coronavirus emergency. The healthcare providers must continue to make all reasonable effort to disclose only the minimum necessary information to accomplish the purpose of the disclosure. 

Moreover, the PHI patient cannot be disclosed to media or persons not involved with the person’s care without the permission from the patient. 

Use of Telehealth communication tools 

The HHS has also declared that healthcare providers can use telehealth communication tools to provide healthcare services during this emergency. Healthcare providers can use any audio, video or chat tools to communicate with patients to assess, diagnose and treat them. The only exception is the use of public facing tools. You can use non-public facing tool only.  

Examples of non-public facing tools

  • Apple Facetime
  • Skype 
  • Microsoft Team
  • Zoom 
  • Google Hangout 

Examples of public facing tools 

  • Facebook live
  • Twitch
  • TikTok
  • Instagram live

While the COVID-19 emergency continues, the HHS has promised to exercise discretion, and it will not impose non-compliance penalties. You can use any product that is available.

This would allow the healthcare provider to assess more patients without risking a spread of infection, and would help protect senior citizens by keeping them away from clinics and hospitals. 

Are compliance restrictions hurting your practice? Are you aware of all the HIPAA waivers that apply to the COVID-19 healthcare emergency? Let us know in the comments section below; we’d be happy to share your views with the US healthcare community.


Jessica Holland

Jessica Holland

Like this post? Subscribe to receive updates directly in your inbox.