The Office of Civil Rights (OCR) last month provided guidance and a reminder to HIPAA covered entities and their business associates regarding the sharing of patient health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule during an outbreak or emergency situation such as what we are all facing right now with the Novel Coronavirus (2019-nCoV) outbreak.

The OCR guidance focused on sharing patient information in several areas, including: treatment, public health activities, disclosures to family, friends, and others involved in an individual’s care, and disclosures to prevent a serious and imminent threat.

The HIPAA Privacy Rule allows a covered entity to disclose PHI to the Center for Disease Control (CDC) or to state or local health departments that are authorized to collect or receive such information, for the purpose of preventing disease and protecting public health.  This would include disclosure to the CDC, and/or state or local health departments, of PHI as needed to report prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus.

The OCR message in the guidance document is clear and it emphasized the balance between protecting the privacy of patient PHI and the appropriate uses and disclosures of such information to protect the public health. For more information and resources, see the HHS interactive decision tool which provides assistance to covered entities to determine how the Privacy Rule applies to disclosures of PHI in emergency situations.

This post was authored by Deborah George and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.