OCR Bulletin Regarding the Sharing of PHI in Emergency Situations

On March 16, 2020, the U.S. Department of Health and Human Services – Office of Civil Rights (“OCR”) issued the COVID-19 and HIPAA Bulletin. In addition to summarizing the Waiver or Modification of Requirements Under Section 1135 of the Social Security Act (SSA), OCR outlined the HIPAA Privacy Rule requirements that may be relevant to disclosing PHI in emergency situations. While this guidance did not include any waivers or modifications to these requirements, OCR summarized provisions of the Privacy Rule related to disclosures for purposes related to treatment and public health activities, disclosures for notification purposes, disclosures to family, friends and others involved in an individual’s care, disclosures to prevent or lessen a serious and imminent threat, and disclosures to the media or others not involved in the individual’s care. OCR further reiterated the need to safeguard PHI and only disclose the minimum amount of PHI necessary to accomplish the intended purpose. The following represents a summary of OCR’s guidance; any specific scenarios should be assessed according to the text of the Privacy Rule.

•  Disclosures related to treatment. The Privacy Rule allows covered entities to disclose, without a patient’s authorization, a patient’s PHI as necessary to treat the patient or to treat a different patient.  Under the Privacy Rule, treatment includes the coordination or management of health care and related services by one or more health care providers, consultation between providers, and the referral of patients for treatment.
• Disclosures related to public health activities. Covered entities are allowed to disclose PHI without patient authorization in furtherance of the legitimate need for public health authorities to have access to PHI necessary to carry out their public health mission.  Such disclosures may involve:
  • Disclosures to a public health authority, including the Centers for Disease Control and Prevention (“CDC”), a state or local health department authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury or disability.
  • Disclosures made at the direction of a public health authority, to a foreign government agency, which agency is acting in collaboration with a public health authority.
  • Disclosures made to persons at risk of contracting or spreading a disease or condition. Note that other law, such as state law, must authorize the covered entity to notify such persons where necessary to prevent or control the spread of disease, or otherwise to carry out public health interventions or investigations.
• Disclosures for notification purposes. The Privacy Rule allows covered entities to share the PHI necessary to identify, locate, and notify family members, guardians, or any other person responsible for the patient’s care, of the patient’s location, general condition, or death.  This may involve notification of family members and others, the police, the press, or the public at large.  The covered entity should, when possible, get verbal permission from patients, or otherwise be able to reasonably infer that the patient does not object.  Further, a covered entity may share PHI with disaster relief organizations that are authorized by law or by their charters to assist in disaster relief efforts, for purposes of coordinating the notification of family members or other persons involve in the patient’s care, of the patient’s location, general condition, or death.
• Disclosures to family, friends and others involved in an individual’s care. Covered entities may disclose PHI with a patient’s family, relatives, friends, or other persons who have been identified by the patient as being involved in the patient’s care.  As with disclosures for notification purposes, the covered entity should, when possible, seek to obtain verbal permission from patients, or otherwise be able to reasonably infer that the patient does not object.
• Disclosures to prevent or lessen a serious and imminent threat. A health care provider may share PHI with any person where necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, provided that such disclosure is consistent with applicable law, such as state statutes, regulations, or case law.  OCR provided the example that providers may disclose patient PHI, without authorization, to anyone in a position to prevent or lessen the serious and imminent threat, such as family, friends, caregivers, and law enforcement.  Of note, the Privacy Rule explicitly defers to the professional judgment of the providers in making the determination on the nature and severity of the threat to health and safety.
• Disclosures to the media or others not involved in the individual’s care. Unlike the prior disclosures, affirmative disclosures to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, may not be done without the patient’s written authorization.  Should a covered entity receive a request to disclose information about a particular patient asked for by name, the entity may release limited facility directory information to acknowledge an individual is a patient at the facility, and may provide basic information about the patient’s condition in general terms, provided, however, that the patient has not objected to or restricted the release of PHI.

If you have additional questions or need further assistance, please feel free to reach out to Alessandra Swanson or your Winston relationship attorney.

View all of our COVID-19 perspectives here. Contact a member of our COVID-19 Legal Task Force here.