The COVID-19 pandemic has resulted in an outpouring of information to the general public, much of it inaccurate. Healthcare related law has not been immune to misinformation and related laws have been incorrectly cited and applied by leadership and citizens alike. The spread of misinformation is especially dangerous during a pandemic, as it can stifle recovery efforts and lend itself to an increase in the infection rate. Recently, a spike in incorrect claims related to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) have circulated from a variety of sources, including governmental ones. Because HIPAA is widely cited, but sometimes misunderstood, a brief synopsis of the law follows.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 or HIPAA, is a federal law created to address the transmission of healthcare information, to establish how personal information is protected by healthcare providers from fraud, and to address the limitations on insurance coverage. The HIPAA “Privacy Rule” created guidelines for “covered entities” (healthcare providers, health plans, healthcare clearinghouses) concerning the use and disclosure of Protected Health Information (“PHI”). This Briefing does not focus on the HIPAA “Security Rule” which pertains to the use and disclosure of electronic PHI.
Who is required to follow HIPAA guidelines?
As stated above, individuals, organizations, and agencies that meet the definition of a “covered entity” under HIPAA must comply with requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. Covered entities include, but are not limited to, the following:
Other than the above types of covered entities, and their business associates, other individuals, businesses, and organizations are generally not subject to HIPAA guidelines concerning the use or disclosure of PHI. However, other privacy laws and regulations (including state requirements) may be applicable to the release of such personal information.
What information is protected under the Privacy Rule?
HIPAA limits covered entities in their use and disclosure of PHI. Under HIPAA, PHI is defined as all individually identifiable health information held or transmitted by a covered entity (or its business associates) in any form. Individually identifiable health is the demographic data that includes information about:
The individual’s past, present or future medical condition (physical and mental)
The provision of healthcare to an individual; or
Past, present, or future payment for provision of healthcare to an individual
It should be noted, under the Privacy Rule, that employment records that a covered entity maintains in its capacity as an employer are not covered under HIPAA even if they contain health information.
Failure to comply with the Privacy Rule may result in large civil monetary penalties. Additionally, a person who knowingly obtains or discloses information in violation of the Privacy Rule may face criminal penalties as well.
When is disclosure of PHI permitted or required?
A covered entity may not disclose (or use) PHI unless the Privacy Rule permits or requires disclosure, or the subject of the information authorizes disclosure in writing. However, a covered entity must disclose PHI in situations such as the following: (a) to individuals when they request access to their PHI; (b) to the Department of Health and Human Services when it is undertaking a compliance investigation, review, or enforcement action; or (c) when required by law.
Furthermore, a covered entity is permitted to use and disclose an individual’s PHI without an individual’s authorization under the following circumstances:
A covered entity may disclose protected health information to the individual who is the subject of the information
A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities
A covered entity may gain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object to disclosure
The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information be eliminated.
A limited data set may be disclosed without permission for research purposes under the Privacy Rule. A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed.
HIPAA disclosures and COVID-19
Under the HIPAA Privacy Rule, covered entities—without authorization—may disclose the PHI of an individual who has been infected with or exposed to COVID-19 to law enforcement, first responders, and public health authorities.