Fox Rothschild partner Bill Maruca’s article, “Protecting Privacy During an Infectious Disease Panic”, is (unfortunately) as relevant today as it was when it was posted here more than 5 years ago. Swap Ebola for COVID-19, and the article provides useful guidance for covered entities and business associates subject to HIPAA and to employers, family and friends who are not.
More recently, the U.S. Department of Health and Human Services published a Bulletin that emphasizes the important and HIPAA-permitted circumstances under which COVID-19 patients’ information may be disclosed.
Key take-aways from the Bill’s article and from the HHS Bulletin include: (1) only covered entities and business associates (and their subcontractors) are subject to HIPAA, and (2) HIPAA allows disclosures under certain circumstances, such as where disclosures are necessary to prevent a serious and imminent threat and are consistent with applicable law and covered entities’ standards or codes of conduct.
The following FAQs illustrate these take-aways (note that these focus on HIPAA only and not on other potentially applicable laws, such as employment-related laws and state privacy laws):
Q.1. I work in HR at my company. An employee came to me this morning and told me that his adult son, who resides with the employee, tested positive for Coronavirus this past weekend. Will I violate HIPAA if I tell my supervisor with or without consent of the adult son or the employee? Can my supervisor alert other employees in the office?
A.1. You will not violate HIPAA by telling your supervisor, and your supervisor will not violate HIPAA by alerting other employees. Neither you nor your supervisor is a covered entity, business associate, or subcontractor (but see next FAQ) and so HIPAA does not apply.
Q.2. I work in HR at my company and am responsible for overseeing our self-funded group health plan. Same facts and questions as above.
A.2. Because you have HIPAA obligations due to your role with respect to the company’s group health plan (which is a covered entity under HIPAA), you need to be cautious with respect to this information. We recommend you consult your HIPAA Privacy Officer or HIPAA counsel regarding the disclosure by the employee to you and the circumstances of the disclosure to determine whether HIPAA applies and if it does, whether HIPAA would allow you to inform your supervisor.
Q.3. I work in HR at my company and am responsible for overseeing our self-funded group health plan. I reviewed a claim for services rendered by a hospital to an employee who has been out of work due to illness for the past several weeks. The claim included diagnosis codes that suggest the employee was treated for COVID-19. Can I tell my supervisor? Can my supervisor alert other employees?
A.3. HIPAA applies to your communications regarding protected health information (PHI), so you must proceed with caution. HIPAA permits the disclosure of PHI if it is necessary to prevent or lessen a serious or imminent threat to the health or safety of a person or the public, and it is consistent with other applicable law. However, it does not appear that you have sufficient information to rely upon this “serious and imminent threat” exception as the basis for disclosure. You do not know that the patient had tested positive for Coronavirus or was treated for COVID-19, nor have you demonstrated how notification would prevent a serious and imminent threat (the employee has not been in the office for several weeks). This situation clearly calls for further consultation with knowledgeable medical and/or legal professionals.