This is the first alert in a series of Bradley installments on privacy issues that may arise during the current COVID-19 pandemic. This first installment focuses on disclosure of personally identifiable health information under state government disclosure obligations and covered entity obligations under the Health Insurance Portability and Accountability Act (HIPAA).
The spread of COVID-19 has created numerous privacy and compliance concerns as state governments, businesses, and healthcare providers are struggling to balance the privacy of the individuals being tested and monitored and the confidentiality of the investigations against the responsibility to disclose information to protect the public.
Privacy Obligations of State Agencies
Most states have statutes that limit what personally identifiable health information can be disclosed by state governments and health departments. Generally, there are two state models. In the first model, about half of state statutes offer no general presumption of privacy, but protect information associated with specific diseases such as HIV and sexually transmitted diseases. The other half of states establish a general protection for personally identifiable health information maintained by health departments but allow for exceptions to disclosure for specific diseases.
In states that prohibit disclosure of personally identifiable health information by state government agencies, one or more of three exceptions generally applies, including (1) when deemed necessary by public health officials to protect the public’s health or health of an individual; (2) for statistical analysis and research; and/or (3) disclosure to a contact or for contact-tracing purposes.
State agencies have been cautious about identifying specific individuals, however, states have provided basic demographic information about COVID-19 cases. For example, Florida health officials have recently started identifying the counties where positive COVID-19 cases have been identified, including the age and gender of individuals and whether an individual engaged in foreign travel. Florida initially declined to disclose this data and has so far refused to provide additional data, including how many persons were being tested and monitored for the virus, with the governor citing health privacy law concerns. New York, conversely, has been willing to share more information releasing details about the scope of testing and monitoring and even identifying specific public buildings, such as schools or places of worship, as possible contagion points.
As states navigate these disclosures, it is important to remember that even seemingly anonymous data can be used to identify a particular individual. Several studies, including the re-identifiability of credit card metadata and smart-phone mobility data have demonstrated that only a handful of “anonymous” data points can identify a specific individual. For example, the disclosure of the age, gender, place of work, and zip code could be enough to identify a specific individual.
Given today’s digital age and the vast amount of information that is available about each of us, it is important to consider privacy — even during these trying times.
Covered Entities under HIPAA
Hospitals and other healthcare providers responses to the pandemic have likewise been mixed. While some providers are actively communicating and attempting to be transparent, others have been more reluctant and have refused to publicly disclose whether patients have tested positive for the virus. When this information may identify individual patients, healthcare privacy laws, such as HIPAA and state laws that are more restrictive, create complications for hospitals as they honor the privacy rights of patients who have contracted the virus while meeting their public health responsibilities.
At the outbreak of the virus, the Office for Civil Rights of the U.S. Department of Health and Human Services (HHS) issued a bulletin making clear that, even in emergency situations such as the COVID-19 outbreak, the protections of the HIPAA privacy rule still apply. HHS stated, “In general, except in the limited circumstances described elsewhere in this Bulletin, affirmative reporting to the media or the public at large about an identifiable patient, or the disclosure to the public or media of specific information about treatment of an identifiable patient, such as specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization[.]” Earlier this week, HHS issued a limited waiver of certain HIPAA privacy requirements strictly for hospitals operating under their disaster recovery plans.
On March 17, HHS announced that it will use enforcement discretion for covered healthcare providers using video chat apps such as FaceTime, Skype, Facebook Messenger, and Google Hangouts to provide telehealth during the COVID-19 emergency period. Providers will be expected to notify patients of the privacy and security risks associated with the use of such apps and to use encryption. In addition, vendors that offer video communication products are beginning to offer their solutions under a HIPAA Business Associate Agreement model that tracks the HIPAA Security Standards.
In terms of the purposes for which healthcare providers are permitted to share protected health information, covered entities and their business associates should continue to follow their existing policies regarding use and disclosure of protected health information for treatment, payment and healthcare operations purposes, disclosures for public health purposes and to the media, and minimum necessary. For example, HIPAA authorizes the disclosure of protected health information about a COVID-19 patient to certain friends, family members, and other individuals involved in the care of that person. A hospital also may share information with state and federal public health authorities, such as the CDC and state and local health departments. However, these exceptions are narrow and failure to comply can result in stiff penalties that can range from $100 to $50,000 per violation and up to $1.5 million a year. Questions regarding whether a specific disclosure is permitted under HIPAA or whether applicable state law restrictions preempt HIPAA should be directed to legal counsel.
At the end of the day, while sharing information can be crucial in helping prevent the virus from spreading further, governmental entities and covered entities (among others) need to be cognizant of privacy laws and best practices to make sure they do not run afoul of legal and ethical obligations in their containment efforts. Bradley will provide a separate client alert addressing the hospital waiver and frequently asked questions from healthcare providers.
Stay tuned for additional installments and updates on these and other privacy issues arising from the COVID-19 pandemic.