Wilentz Health Law Check Up
On March 17, 2020, the Office for Civil Rights (OCR) announced the Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency.
In February 2020, the OCR at the U.S. Department of Health and Human Services (HHS) provided a bulletin to assist entities in determining the appropriate way in which patient information could be permissibly shared in compliance with HIPAA in the event of an outbreak of infectious disease or other emergency situations. OCR has outlined several ways by which the HIPAA Privacy Rule permits entities to disclose PHI without a patient’s authorization.
- Covered entities may disclose PHI about the patient as necessary to treat the patient or to treat a different patient.
- Covered entities may disclose requested PHI to a public health authority, a foreign government agency (at the direction of a public health authority) that is collaborating with the public health authority, and persons at risk of contracting or spreading a disease or condition if authorized by law.
- Covered entities may share PHI with a patient’s family, friends, relatives, or other persons identified that were involved in the patient’s care.
- Health care providers may share PHI with anyone in order to prevent or lessen a serious and imminent threat to the public health and safety.
Health care providers are required to comply with the “minimum necessary” standard when disclosing PHI of patients with the coronavirus, which means that such providers must make reasonable efforts to disclose only the patient information necessary to achieve the purpose of the disclosure. In addition, during emergencies, covered entities must implement reasonable safeguards to protect PHI against any “intentional or unintentional uses and disclosures” in violation of HIPAA. For more information visit: NIH BULLETIN: HIPAA Privacy and Novel Coronavirus.