The worldwide COVID-19 pandemic visited on America in the past several months has quickly reinvigorated the foundational and important debate concerning where, in a free society, individual autonomy ends (or should end) and where public protection begins (or should begin). Squarely in the cross-hairs of this renewed debate is the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Tasked with protecting and securing the privacy of individual health information in the midst of an international public health crisis, HIPAA would seem at odds with governmental efforts across the globe to permit the release of otherwise private individual health information in an effort to protect the public collective. The purpose of this article is not to take sides in this debate, but rather to flesh out and discuss those provisions of HIPAA and the governmental pronouncements thereon relevant to public health emergencies, in general, and the current pandemic, more specifically. However, viewing such provisions and pronouncements against the backdrop of this debate will hopefully shed light on why certain public health emergency provisions are included in HIPAA, why other HIPAA provisions have been waived in connection with the current pandemic, and why “good faith” violations of still other HIPAA provisions will not be prosecuted during this pandemic. Within the context of this debate, reasonable inferences can also be made concerning whether and how HIPAA may be forever altered as a result of COVID-19.
HIPAA and the Privacy Rule
Let’s start with the basics. HIPAA, as modified by the HITECH Act, establishes a national set of standards for the protection of individually identifiable health information (or PHI) within the healthcare industry. HIPAA applies to healthcare providers who transmit health information in electronic form (as well as health plans and healthcare clearinghouses) (collectively referred to as “covered entities”) as well as their business associates. It includes a Privacy Rule to protect the privacy of oral, paper and electronic PHI, a Security Rule to protect the privacy (and security) of electronic PHI (e-PHI), and a Breach Notification Rule which requires certain impermissible uses and disclosures of PHI to be reported. In some instances, HIPAA also provides for penalties or other punishment for violations. Considered in a vacuum, HIPAA’s privacy protections are not only sensible, but seemingly essential in a country founded on individual liberties. Foist a national public health emergency on the country, however, and whether each of HIPAA’s personal privacy protections remains justifiable, much less imperative, becomes less clear as our nation of individuals considers the well-being of our nation as a whole.
HIPAA and Public Health Emergencies
To be sure, the privacy of PHI remains paramount during a public health emergency. Indeed, the U.S. Department of Health and Human Services (“HHS”) has repeatedly emphasized that the Privacy Rule is not suspended during a national emergency (e.g., Hurricane Katrina) or public health emergency (e.g., 2009 H1N1 flu outbreak). However, HHS has just as regularly reiterated that during, and in response to, a public health emergency, various existing Privacy Rule provisions permit PHI to be shared not only for the benefit of individuals affected thereby but also the public at large. Further, other Privacy Rule provisions may be waived or, at the sole discretion of the HHS Office for Civil Rights (OCR), simply not enforced.
HIPAA and COVID-19
Unfortunately, the HIPAA Privacy Rule and a public health emergency with extraordinary reach collided head on a scant five months ago when HHS Secretary Alex Azar declared COVID-19 a public health emergency on Jan. 31, 2020. Immediately, the Privacy Rule’s need and ability to serve the seemingly disparate goals of individual privacy and public protection took center stage. Within days of Secretary Azar’s declaration, HHS issued a February 2020 bulletin enumerating “the ways that patient information may be shared under the … Privacy Rule in an outbreak of infectious disease or other emergency situation.” This bulletin also served “as a reminder that the protections of the Privacy Rule are not set aside during an emergency,” but simultaneously underscored that the Privacy Rule is “balanced to ensure that appropriate uses and disclosures of [patient] information still may be made when necessary … to protect the nation’s public health, and for other critical purposes.” Subsequently, President Trump declared COVID-19 a nationwide emergency on March 13, 2020, and HHS has continued to issue clarifying pronouncements concerning the application of the dual-purposed Privacy Rule in the (now) “new normal” ushered in by the global coronavirus pandemic.
So, what’s already in place?
In a March 2020 bulletin, HHS identified various Privacy Rule provisions that are operable in the context of any public health emergency—and which appear to permit certain disclosures of PHI for the general public good, even at the expense of certain individual privacy rights. Specifically, HHS confirmed that “in emergency situations” and without patient authorization, the Privacy Rule “always allows [PHI] to be shared for [certain] purposes and under [certain] conditions,” including:
- Treatment: PHI can always be shared by and among healthcare providers about a patient if necessary to treat the patient or to treat a different patient, including the coordination and management of health care and related services, consultations between providers, and referral of patients for treatment;
- Public Health Activities: The “minimum necessary” PHI can always be shared with a public health authority (such as the CDC or a state or local health department) authorized to collect such PHI for the purpose of preventing or controlling a disease (which allows the CDC, for example, to collect PHI concerning all prior and prospective cases of patients exposed to or suspected or confirmed to have COVID-19), as well as with persons who may have been exposed to a communicable disease provided that state law authorizes such notification; and
- Disclosures to Prevent or Lessen a Serious and Imminent Threat: The “minimum necessary” PHI can also always be shared by a health care provider with anyone, including law enforcement personnel, and a patient’s family, friends, and caregivers, if in “good faith” the disclosure is believed necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Notably, in making determinations about the nature and severity of the threat to health and safety, the Privacy Rule expressly defers to the professional judgment of health professionals.
What else has HHS done?
As the pandemic progressed across the country, HHS waived those Privacy Rule provisions that it could, and OCR made clear that it will not penalize “good faith” violations of certain other provisions.
First, on March 15, 2020, just two days after President Trump declared COVID-19 a nationwide emergency, HHS Secretary Azar (retroactive to March 1, 2020) waived sanctions and penalties against covered hospitals that do not comply with the normal HIPAA requirements, such as: a) requiring a patient’s agreement to speak with family members or friends involved in the patient’s care, b) honoring a patient’s request to opt out of the covered hospital’s facility directory, c) distributing a notice of privacy practices, and d) otherwise recognizing a patient’s right to request privacy restrictions and confidential communications. While striking in their seeming abandonment of foundational HIPAA protections, the rationale for these waivers in response to COVID-19 seems apparent when the breadth of the pandemic and the limited time such waivers apply are considered. A covered hospital may only rely on such waivers if it has instituted a disaster protocol and only for up to 72 hours after such implementation in the emergency area identified in the applicable public health emergency declaration.
Then, in apparent recognition of the need to allow our national health care community to act swiftly and smartly in response to an uncommon public enemy, even though such actions may technically (and perhaps substantively) infringe on seemingly sacrosanct HIPAA privacy protections, OCR issued three separate “Notifications of Enforcement Discretion” addressing:
- Telehealth – Acknowledging the importance of telehealth to protect patients from COVID-19, whether or not seeking treatment for COVID-19, and recognizing that the most accessible technologies for providing telehealth may not be HIPAA compliant, OCR permitted the “good faith” use of popular non-public facing apps, such as Zoom, Skype and Apple FaceTime (but not public facing apps, such as Facebook Live, Twitch and TikTok) to provide telehealth;
- Business associate disclosures for public health or health oversight purposes – Acknowledging that business associates are unable to take certain actions unless expressly permitted to do so by their business associate agreements, OCR permitted business associates in “good faith,” and subject to certain conditions, to disclose PHI or perform public health data analytics on such PHI for the purpose of ensuring the health and safety of the general public during the COVID-19 pandemic; and
- Community-based COVID-19 testing sites – Acknowledging the need for COVID-19 community-based testing sites (CBTS) and that certain covered healthcare providers, including some large pharmacy chains and their business associates, may not fully comply with HIPAA requirements in connection with the operation of such sites (including mobile, drive-through and walk up sites that solely provide COVID-19 specimen collection or testing services), OCR permitted the “good faith” operation of CBTS. At the same time, however, OCR confirmed that its abdication does not apply to non-CBTS-related activities, even if the covered entity also provides CBTS activities, including pharmacies that operate a CBTS in the parking lot of their retail facilities.
Yet, as overwhelming as the coronavirus pandemic has been to our nation (and the world) thus far this year, it is the “new normal” that it appears to represent that is perhaps most daunting. This includes choices that will now need to be made between individual privacy and the public good in various health care contexts as a result of COVID-19. Such choices will likely directly implicate HIPAA or other federal privacy laws and, once made, may themselves become the “new normal.” Already, the balance is being struck. Consider, for example:
- Digital contact tracing – The now ubiquitous term describes a process which seeks to identify, notify and make appropriate recommendations to those persons who have come into contact with a person infected with COVID-19, with the intent to break the chain of disease transmission by having individuals upload their individual health information to a mobile app. Most app developers, such as Apple and Google, are not covered entities and thus are not governed by HIPAA. However, if an app is developed for or provided by a covered entity, that entity must fully comply with HIPAA in connection with any e-PHI uploaded to the app, whether for purposes of contact tracing or otherwise. Conversely, a covered entity does not have to comply with HIPAA to the extent that an individual directs the covered entity to send the individual’s e-PHI to an app that is not affiliated with the covered entity. And recognizing that contact tracing relies on individuals’ personal information, including individuals’ PHI, and in an apparent effort to close the privacy protection loop, multiple bills, including the bipartisan Exposure Notification Privacy Act, have been introduced in Congress. The stated purpose of each of these bills is to regulate the use and protect the privacy of information gathered in connection with contact tracing by entities not otherwise regulated by HIPAA.
- Disclosures to law enforcement and other first responders – As noted above, HIPAA generally permits a covered entity, without patient authorization and in “good faith,” to disclose the minimum necessary PHI to law enforcement personnel provided the covered entity believes, in good faith, that such disclosure is necessary (including that law enforcement personnel are reasonably able) to prevent or lessen a serious or imminent threat to the health or safety of a person or the public. However, questions abound in the COVID-19 era. For instance: If COVID-19 carriers may be asymptomatic, can disclosing PHI confirming whether an individual tested positive for COVID-19 ever reasonably be deemed to prevent or lessen the threat posed by COVID-19 for law enforcement personnel (or otherwise)? Or, conversely, is every member of the public a possible serious or imminent threat such that anyone’s PHI may be disclosed to law enforcement personnel (or other first responders)? Although the answers to such questions may simply lead to more questions, OCR recently provided several concrete examples of permissible disclosures that covered entities may make without patient authorization to law enforcement personnel and other first responders in various contexts including: (a) for treatment purposes – a skilled nursing facility may disclose PHI about an individual who has COVID-19 to EMS personnel who will provide treatment during transport; (b) when required by law – a hospital may disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials; and (c) when first responders may be at risk of infection – a covered county health department, in accordance with state law, may disclose the minimum necessary PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19 for purposes of preventing or controlling the spread of COVID-19.
So, where does HIPAA go from here? While “who knows?” feels like the only right answer in the current COVID-19 climate, it seems likely that telehealth is here to stay as healthcare providers and patients alike appear to have recognized its ease, efficiency and ability to insulate the healthy from the sick. Considering that HIPAA was promulgated before the age of the smartphone and how quickly the government relaxed HIPAA requirements to allow use of non-HIPAA-compliant smartphone apps for the provision of telehealth in response to COVID-19, HIPAA amendments permitting greater use of such technologies and the debate between individual privacy and public protection (or functionality) that such amendments will trigger are likely on the horizon. Healthcare providers will also likely make (or be asked by public health agencies to make) greater use of their patients’ individual PHI in an effort to improve the health and case management of their overall patient population or the public. Indeed, on June 12, 2020, OCR issued guidance explicitly stating that HIPAA permits healthcare providers to use their patients’ individual PHI to identify and contact those patients that have recovered from COVID-19 to give them information about donating blood and plasma that could help other COVID-19 patients. Look for additional guidance concerning what uses of PHI are permissible for these purposes under HIPAA. Current regulations are subject to multiple interpretations and guidance thereon will certainly rekindle the underlying debate concerning when, if at all, in a free society individual private health information should be utilized in protecting the collective.
 See U.S. Dep’t of Health and Human Services, Office for Civil Rights, HIPAA Privacy in Emergency Situations Bulletin (November 2014), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/hipaa-privacy-emergency-situations.pdf.
 Id.; See generally U.S. Dep’t of Health and Human Services, Office for Civil Rights, HIPAA FAQs for Professionals, Telehealth, https://www.hhs.gov/hipaa/for-professionals/faq/telehealth/index.html.
 SeePress Release, U.S. Dep’t of Health and Human Services, Secretary Azar Declares Public Health Emergency for United States for 2019 Novel Coronavirus (January 31, 2020).
 See U.S. Dep’t of Health and Human Services, Office for Civil Rights, HIPAA Privacy and Novel Coronavirus Bulletin (February 2020), https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.
 SeePresident Donald J. Trump, Proclamation on Declaring A National Emergency Concerning the Novel Coronavirus Disease (COVID-19) Outbreak (March 13, 2020), https://www.whitehouse.gov/presidential-actions/proclamation-declaring-national-emergency-concerning-novel-coronavirus-disease-covid-19-outbreak/.
 See U.S. Dep’t of Health and Human Services, COVID-19 & HIPAA Limited Waiver of HIPAA Sanctions and Penalties During a Nationwide Public Health Emergency Bulletin (March 2020), https://www.hhs.gov/sites/default/files/hipaa-and-covid-19-limited-hipaa-waiver-bulletin-508.pdf.
 Id.; See also 45 C.F.R. §§ 164.502(b), 164.514(d).
 See 45 C.F.R. §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.
 See 45 C.F.R. §§ 164.501 and 164.512(b)(1)(i).
 See 45 C.F.R. §164.512(b)(1)(iv).
 See 45 C.F.R. §164.512(j).
 The HHS Secretary may only waive certain Privacy Rule Provisions if the President declares a national emergency or disaster and the HHS Secretary declares a public health emergency. See the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.
 See 45 C.F.R. §164.510(b).
 See 45 C.F.R. §164.510(a).
 See 45 C.F.R. §164.520.
 See 45 C.F.R. §164.522(a).
 See 45 C.F.R. §164.522(b).
 See U.S. Dep’t of Health and Human Services, HIPAA FAQs for Professionals: Access Rights, Apps and APIs (January 31, 2020), https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access-right-health-apps-apis/index.html.
 See U.S. Dep’t of Health and Human Services, Office for Civil Rights, Guidance on HIPAA and Contacting Former COVID-19 Patients about Blood and Plasma Donation (June 12, 2020), https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.pdf.