In connection with the Novel Coronavirus (2019-nCoV) outbreak news recently, the Department of Health and Human Services released an advisory to remind HIPAA covered entities about sharing patient data during infectious disease outbreaks and other emergency cases.
The HHS states in the bulletin that even in the current situations, healthcare organizations should continue to observe the HIPAA Privacy Rule and implement technical, administrative, and physical safety measures to maintain the integrity, availability, and confidentiality of protected health information (PHI).
The HIPAA Privacy Rule allows covered entities to share patient information without obtaining authorization if for purposes of treatment, consultations, care coordination, and referring patients for treatment.
In cases when patients have developed an infectious disease like the 2019-nCoV, there is a legit need to share information with public health specialists and people in charge of protecting public health and safety. The concerned individuals might need to know the PHI in order to perform their public health duties. The HIPAA Privacy Rule permits covered entities to discuss PHI with concerned entities and people even without written authorization in the following situations:
- sharing data with the Centers for Disease Control and Prevention (CDC) and state and health departments sanctioned by law to obtain such data to stop or control illness and harm.
- sharing PHI with foreign government agencies that the public health authorities work with.
- sharing information with people thought to be in danger of getting or spreading disease
if the state law or other laws allow the covered entity to tell such individuals in order to stop the spread of disease or to conduct public health inspections - sharing information with family members, friends, and other people concerned with patient care, including
- sharing data concerning a patient, as needed, to determine, track down, and alert the family, guardians, and other people in charge of the patient’s treatment, the patient’s place of residence, general condition, or demise.
In these cases, verbal permission ought to be provided by the patient or it is sensibly deduced there is no objection from the patient. If a patient is disabled, then a professional should carefully consider if data sharing protects the patient’s welfare.
Patient data may likewise be shared to avoid or decrease a serious or impending threat to personal or public health and safety, in line with appropriate laws. Typically speaking, it is not allowed to give the specific data of an identifiable patient to the press or community in particular.
All authorized disclosures of patient data are governed by the minimum required rule. Shared data must be limited to the minimum required amount to achieve the purpose of disclosing the information.