Safeguarding Patient Health Information in an Emergency Situation
Even in an emergency situation such as that presented by the COVID-19 pandemic, covered entities must continue to meet their obligations under federal and state laws protecting confidentiality of patient health care information, to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. They must continue to comply with the administrative, physical, and technical safeguards of the security rule and privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The obligation to conduct periodic HIPAA security assessments continues, even during the existence of an emergency or natural disaster. The obligation to meet the requirements of state laws protecting special status health information such as mental health records and drug and alcohol rehabilitation records, also continues through a pandemic.
Each of the bodies of regulations that apply to patient health information contain certain specific provisions that can apply during a pandemic. For example, HIPAA permits disclosures to public health authorities and others where it is necessary for purposes of controlling the spread of the virus or to otherwise protect the public from harm. These exceptions permit disclosures that may be in the public good for purposes of addressing the emergency situation. The emergency exceptions do not provide blanket exemption from assuring compliance with applicable regulations.
HIPAA Applies Only to Covered Entities and Business Associates, But Other Laws May Apply More Broadly
The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. HIPAA does not apply to others, such as some emergency workers, law enforcement, fire responders, and other first responders who may be involved in the course of a patient’s health care episode. But you should be aware that other laws, such as laws protecting confidentiality of mental health treatment information and substance/alcohol rehabilitation records, may be applicable and will normally be more protective of patient confidentiality than HIPAA. Covered entities include health plans, health care clearinghouses, and most health care providers. Business associates generally are persons or entities that are not inside the organization and who perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information.
Business associates also include subcontractors of other business associates that create, receive, maintain, or transmit protected health information. The HIPAA privacy rules do not apply to disclosures made by entities or other persons who are not covered entities or business associates. (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply.
A business associate of a covered entity may make disclosures permitted by the HIPAA rules, including those that are available in the case of an emergency.
Although HIPAA may not apply to law enforcement and others who may come into possession of information concerning the health care of an individual, other federal and state laws apply more broadly and extend beyond covered entities and business associates. For example, the regulations applicable to substance and alcohol abuse records are subject to laws prohibiting any party who receives the protected information from the provider to comply with a prohibition against redisclosure. Even though law enforcement and other first responders may not be covered entities or business associates as defined in HIPAA, the provisions of 42 CFR Part 2, the federal regulations providing confidentiality protection for substance and alcohol abuse treatment records, and possibly state laws protecting mental health records, may impose an obligation on law enforcement and other non-covered entities, to maintain the confidentiality of the information that they receive.
We previously released a blog article describing some of the Emergency Provisions available under HIPAA.
Source: Health Law Blog