The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

HHS Issues Coronavirus HIPAA Guidance

by Chris Brook on Thursday February 6, 2020

Contact Us
Free Demo
Chat

In the healthcare sector, concerns about the spreading coronavirus outbreak have reignited discussion around HIPAA, protected health information, and when it's legal for healthcare providers to disclose patient records.

The swell of recent news stories around the Novel Coronavirus (2019-nCoV) outbreak prompted the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) this week to reiterate the importance of the Health Insurance Portability and Accountability Act's (HIPAA) Privacy Rule.

In light of the news, HHS issued a bulletin (.PDF) around the 2019–20 Wuhan coronavirus outbreak and how it relates to HIPAA privacy on Monday.

While the respiratory illness was labeled a public health emergency by HHS Secretary Alex M. Azar last week, the department is stressing the urgency around 2019-nCov shouldn't negate the protections of the HIPAA Privacy Rule.

Complying with HIPAA of course requires covered entities to safeguard patients' protected health information (PHI) - any information created, used, or disclosed during the course of diagnosis or treatment. PHI can refer to a number of information types, including a patient's Social Security Number, health plan beneficiary number, medical record number, or account number.

HHS is reminding covered entities that they can only disclose protected health information about a patient in a few scenarios - all relate to public health and safety. If it's necessary to treat the patient or different patient, if there's a legitimate need for information to be shared with public health authorities, like the CDC, in order to prevent or control disease, at a public health authority's discretion, or if or if any individuals are believed to be at risk of contracting or spreading the disease.

There are some conditions where a covered entity can share PHI with a patient's family, relatives, and friends - if they can be located - mostly these exist to assist in patient care. Covered entities can also disclose PHI to prevent a what HHS deems a "serious and imminent threat."

Disclosure to the press is largely forbidden without the patient's written authorization.

In situations like these, when news on a public health emergency commands headlines for days on end, it's important for HHS to address any concerns around data sharing, mostly to help assuage fear. As we've seen before, concerns from hospital workers about contracting the virus, compounded by both the public and press, can lead to snooping and sharing data.

This is a path the HHS has been down before with high-profile illnesses like SARS (Severe Acute Respiratory Syndrome) and Bird Flu (Avian Influenza).

Just because a situation has been labeled an emergency doesn't give hospitals and health plans a free pass when it comes to safeguarding patient data.

"In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and discloses," HHS said in its guidance, "Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information."

It's important to note that the Wuhan coronavirus hasn’t been classified as a pandemic – yet. In the event of a pandemic, when there’s an ongoing epidemic on two or more continents, waiving or modifying requirements under HIPAA, could be permitted under section 319 of the Public Health Service Act.

For what it's worth, in a FAQ on its site, HHS also reiterates that the HIPAA Privacy Rule isn't suspended during a public health emergency. Only when the President declares an emergency or disaster and the HHS Secretary declares a public health emergency can the Secretary waive sanctions and penalties against covered entities that don't comply with the Privacy Rule.

For the time being, HIPAA still applies.

Tags: Industry Insights, Healthcare, HIPAA

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.