Skip to Main Content

A Delicate Balance: New Privacy Challenges for Public Health Disclosures During the COVID-19 Pandemic

  • July 24, 2020
  • Jessica Quinn , , Senior Vice President and Chief Ethics & Compliance Officer, OhioHealth
  • Vladimir Edmondson , Senior Compliance Director and Chief Privacy Officer, OhioHealth

When enacting the Health Insurance Portability and Accountability Act of 1996 (HIPAA),[1] Congress ushered in a new generation of privacy protections for patients’ health information and established a national framework for patient privacy. Since that time, the health industry has established robust privacy programs aimed at protecting patient data to comply with this sweeping legislation, as well as with corresponding state privacy laws that have cropped up throughout the country to protect a patient’s right to privacy. One of the many important lessons learned during the COVID-19 pandemic may be the critical role of public health officials and their need to use patient information for responding to such a crisis. Considering the numerous parties involved in public health activities related to COVID-19, as well as the volume of relevant information, the balance between public health needs and an individual’s right to privacy must be carefully considered.

In general, federal privacy laws attempt to strike a delicate balance of protecting a patient’s right to privacy “while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health.”[2] This balance is accomplished through two primary mechanisms: (a) a broad preemption provision that saves most state public health laws from preemption under HIPAA; and (b) a number of exceptions to HIPAA for a wide range of public health activities. From the perspective of compliance and privacy officers, previous requests related to public health activities have been relatively straightforward, that is until this public health emergency. The need for access to patient information for public health activities designed to successfully respond to a public health emergency, such as the COVID-19 pandemic, may prove to be a different story considering the magnitude of the response required to win this battle.

HIPAA and Public Health

When drafting the HIPAA privacy provisions more than 20 years ago, Congress deferred most of the details to the U.S. Department of Health and Human Services (HHS) Secretary, who was charged with promulgating privacy regulations to address individual rights for health information, including when authorization would be required, the procedures to exercise such individual rights,[3] and when uses and disclosures should be required.[4] Congress was, however, very deliberate to ensure that the sweeping federal law did not impede public health activities by including the following statutory language: “Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.”[5]

The Privacy Rule and Public Health

Pursuant to the authority granted under HIPAA, the Secretary issued extensive regulations to implement the privacy provisions of the statute referred to as The Standards for Privacy of Individually Identifiable Health Information (Privacy Rule).[6] The Privacy Rule regulates how a covered health plan, health care clearinghouse, and health care provider (Covered Entities)[7] may use and disclose protected health information (PHI) and establishes a number of privacy rights for individuals, including, most notably, a requirement that Covered Entities obtain an individual’s authorization for a wide range of disclosures of the individual’s PHI.[8] Within the vast public health network mobilized to combat the COVID-19 pandemic,[9] the use of PHI could span a large range of public health practice and research, including such traditional public health activities as program operations, public health surveillance, outbreak investigations, direct health services, and public health research.[10] Recognizing that “public health reports made by Covered Entities are an important means of identifying threats to the health and safety of the public at large,”[11] the Privacy Rule incorporates a savings clause for conflicting state laws based on the statutory provision,[12] as well as several provisions exempting public health activities from these stringent requirements.[13]

Preemption of State Public Health Laws

An additional reason for the Administrative Simplification Regulations, which include the Privacy Rule, expressed in the 2000 Preamble, is “to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.”[14] Consistent with the goal of Congress to establish a national framework for patient privacy that sets a “floor” or basic set of privacy protections for individuals,[15] the Privacy Rule makes clear that any state law that is “contrary”[16] to a specific federal law is preempted, unless the state law is more stringent.[17] For a law to be considered more stringent, it would need to provide greater privacy protections for the individual.[18] Considering that public health laws typically provide for uses and disclosures of PHI for public health reasons, they are unlikely to be more stringent. In support of Congress’ goal of protecting this important function from preemption, the Secretary included several provisions allowing for disclosures of PHI for public health activities stating that “[t]he HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission.”[19]

First and foremost, a broad exception under the Privacy Rule protects state public health laws (and procedures established under such laws) from preemption if they provide for the “reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”[20] All other state laws may also be protected from preemption if the Secretary determines that the law is necessary for “purposes of serving a compelling need related to public health, safety, or welfare” and “that the intrusion into privacy is warranted when balanced against the need to be served.”[21] Although these provisions would likely protect many state public health activities, there are two notable limitations. First, the savings clause only applies to state-related laws and activities in contrast to the statutory provision that applies to any laws.[22] Second, it is conceivable that novel public health activities in response to the COVID-19 pandemic may not be easily tied to an underlying state law. From a practical standpoint, the impact of these limitations is substantially mitigated by the broad exceptions under the Privacy Rule for public health activities.

The Public Health Exceptions

In addition to the aforementioned savings clause, the Privacy Rule includes a number of exceptions that permit Covered Entities to disclose PHI for a broad list of public health activities without obtaining patient authorization or providing the patient an opportunity to agree or object.[23] These exceptions allow for uses and disclosures of PHI that would not have met the limited language of the savings clause. For example, these exceptions are not predicated on a state law that mandates disclosure of PHI for public health activities, nor do they all require state involvement. Rather, they allow Covered Entities to decide whether to disclose PHI for public health reasons. The exceptions most relevant to the COVID-19 pandemic are discussed below.

Public Health Authorities. The first exception is for disclosures to public health authorities.[24] In addition to the standard reporting of disease, such as positive COVID-19 tests, or vital events such as COVID-19 related deaths, this exception allows Covered Entities to make disclosures for public health surveillance, investigations, and interventions if certain conditions are met.

Under this exception, a Covered Entity must meet a two-prong test before using or disclosing PHI without patient authorization, including that the entity seeking the information is:

  • A public health authority; and
  • Authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability.[25]

Under the Privacy Rule, a public health authority is defined as an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe responsible for public health matters as part of its official mandate.[26] This definition extends to a person or entity acting under a grant of authority from or contract with such public agency.[27] Interestingly, the Covered Entity may also disclose PHI to a foreign official acting in collaboration with a public health authority if directed to by a public health authority,[28] which actually broadened the scope of allowable public health authority disclosures from the original Notice of Proposed Rule Making issued in November 1999.[29] This last-minute change to the final Privacy Rule in 2000, allows Covered Entities to disclose PHI to a foreign government agency that is, for example, collaborating with the Centers for Disease Control and Prevention to limit the spread of infectious disease—yet again underscoring the value that the Privacy Rule placed on the importance of public health exceptions.[30]

In addition to being a public health authority, the entity seeking the information must be “authorized by law” to collect or receive the information.[31] Recognizing that public health authorities operate under broad mandates to protect the health of their constituent populations, the Secretary has interpreted the phrase "authorized by law" to mean that a legal basis exists for the activity, not that there is a specific law that authorizes the collection of the information requested.[32] Further, the Secretary referred to the phrase as "a term of art" that includes both actions that are permitted and actions that are required by law.[33]

This broad exception, coupled with the savings clause for public health laws, provides Covered Entities with significant regulatory relief from HIPAA necessary to respond to most governmental requests for PHI in public health emergencies such as the current one. In addition, the Office for Civil Rights (OCR), the federal agency responsible for enforcing HIPAA, expanded application of this exception to business associates during the COVID-19 pandemic in its Notification of Enforcement Discretion.[34] In this notification, OCR announced that it would not impose penalties for violations of certain provisions of the Privacy Rule for public health and health oversight activities during the COVID–19 pandemic, including the restrictions placed on business associates that their use and disclosure of PHI is limited to what is permitted under the contract (or required by law).[35]

In light of the number of agencies engaged in the pandemic response, however, it is possible that a Covered Entity may receive a request from a third party that is not authorized by law to receive such disclosures. In such an event, the Covered Entity must ascertain whether another exception applies.

FDA Regulated Products or Activities. Covered Entities may disclose PHI to individuals responsible for certain activities related to the quality, safety, or effectiveness of Food and Drug Administration (FDA) regulated products or activities.[36] Such purposes include:

  • To collect or report adverse events, product defects or problems, or biological product deviations;
  • To track FDA-regulated products;
  • To enable product recalls, repairs, or replacement, or lookback; or
  • To conduct post-marketing surveillance.[37]

This exception is particularly important considering the volume of Emergency Use Authorizations (EUAs) issued by the FDA for various diagnostic, therapeutic, and protective medical devices in response to the COVID-19 pandemic that require increased rigor around monitoring and reporting to ensure patient safety.

Contact Tracing. A lessor known exception under the Privacy Rule relates to contact tracing.[38] Depending on the respective state or local law, Covered Entities may disclose PHI to a person who may have been exposed to COVID-19 or may otherwise be at risk of contracting or spreading COVID-19 if the Covered Entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.[39] Although contact tracing is traditionally managed through departments of health, Covered Entities may be asked to assume a greater role during the COVID-19 pandemic in light of the magnitude of the exposure. Considering the potential for increased privacy concerns with contact tracing in which members of the public are notified about another’s health status, the Covered Entity should make sure that any such activity is specifically authorized by state or local law or delegated by an agency authorized by law to engage in such activity.

Workplace Health. Another exception that may be put to the test during the COVID-19 pandemic is the workplace health exception that allows Covered Entities to disclose PHI to a patient’s employer provided certain strict requirements are met.[40] Similar to the exception for contract tracing, there are significant risks associated with this type of disclosure and Covered Entities should carefully consider the following requirements:

  • The Patient must be a member of the workforce of the employer and be provided advanced written notice by the Covered Entity that the PHI will be disclosed to the employer;[41]
  • The PHI is limited to only findings concerning a work-related illness or injury or a workplace-related medical surveillance;
  • The Covered Entity must be a covered health care provider who provides health care to the individual at the request of the employer, such as through an onsite employee clinic; and
  • The Employer’s need for obtaining the PHI is to conduct an evaluation relating to medical surveillance of the workplace or to record such work-related illness or injury in order to comply with certain Occupational Safety and Health Administration and other similar reporting obligations, including state reporting obligations.[42]

Although these exceptions provide relief from the Privacy Rule requirements related to obtaining patient authorization and providing opportunity to object, the remaining requirements still apply. For example, to the extent a Covered Entity makes a disclosure under any of these exceptions, it still must comply with the “minimum necessary” rule and limit the amount disclosed to that which is reasonably necessary to accomplish the purpose for which the request is made.[43] A Covered Entity may, however, reasonably rely on representations by the public official or other Covered Entity that the information requested is the minimum necessary for the stated purpose(s).[44]

Additional Exceptions

In addition to the traditional public health exceptions under the Privacy Rule, other exceptions under the Privacy Rule may apply to disclosures during this pandemic. For example, OCR recently issued guidance regarding Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities (First Responder Guidance), which maintained that “[a] covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation.”[45] The same guidance reminded Covered Entities that under certain circumstances, however, more than one provision of the Privacy Rule may apply to a use or disclosure. To that end, OCR clarified application of the broadly constructed and interpreted provision of the Privacy Rule that allows for uses or disclosures to avert a serious threat to health or safety to a person or the public.[46] The First Responder Guidance explained that Covered Entities may, consistent with applicable law and standards of ethical conduct, “disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.”[47]

The presumption of good faith for uses or disclosures to avert a serious threat to health or safety is met under the Privacy Rule if the Covered Entity’s belief that led to such use or disclosure is based on its actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.[48] In a pandemic, the Privacy Rule’s permissive disclosure to prevent or lessen a serious or imminent threat to the health or safety of the person or the public may be the most often employed tool for good faith uses and/or disclosures that may or may not neatly fit within the Privacy Rule’s public health exceptions.

The Road Ahead

When establishing the federal framework for the privacy of health information over two decades ago, Congress and the Secretary clearly considered both a patient’s right to privacy and public health needs and attempted to balance the two through statutory and regulatory provisions. Albeit complex, these provisions cover a wide range of public health-related activities and have arguably had a relatively limited impact on patient privacy rights. As these provisions are put to the test during the COVID-19 pandemic, it will be important for compliance and privacy officers to remain vigilant to protect this delicate balance. To that end, compliance and privacy officers should be mindful that any state orders declaring mandatory public health disclosures contemplate that such disclosures are actually for “the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention,”[49] which should be evident upon a close reading of the order. Privacy officers must also recognize the benefit and best practice of tracking any activities related to state-ordered mandatory public health disclosures, aside from their obligation to specifically account for any such disclosure at the patient’s medical record level.
 

Jessica Quinn, Esq., Senior Vice President and Chief Ethics & Compliance Officer, provides executive leadership in the areas of Ethics & Compliance, Internal Audit, and Information Security for OhioHealth. As a key business partner, she delivers mission-driven, strategic guidance to assist OhioHealth anticipate, prepare for, and navigate through existing and emerging risk areas. Ms. Quinn began her career as a health lawyer focusing on fraud and abuse, regulatory law, privacy, and managed care contracting. She served as The University of Texas MD Anderson Cancer Center’s Vice President and Chief Compliance Officer until joining OhioHealth in 2014. 

Vladimir Edmondson, MPAff., CHC, serves as OhioHealth’s Senior Compliance Director & Chief Privacy Officer. In this role, Mr. Edmondson is responsible for all aspects of OhioHealth’s Privacy Compliance Program as well as the infrastructure of the Corporate Ethics & Compliance Program. He joined OhioHealth in January 2015 after spending more than a decade in the Institutional Compliance Office at The University of Texas MD Anderson Cancer Center, where Mr. Edmondson served as the Director of Compliance Programs.

The views expressed in the article do not necessarily express the views of OhioHealth.

 
[1] Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, H.R. 3103, 104th Cong.
[2] Office for Civil Rights (OCR) Privacy Brief, Summary of the HIPAA Privacy Rule, Last Revised May 2003, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[3] Health Insurance Portability and Accountability Act of 1996, Sec. 264, Pub. L. No. 104-191, H.R. 3103, 104th Cong.
[4] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82470 (Dec. 28, 2000) (codified at 45 C.F.R. pt. 164) (preamble).
[5] 42 U.S.C. § 1320d–7(b).
[6] 45 C.F.R. pts. 160, 162, 164.
[7] Id. § 160.103.
[8] Id. §§ 160.502 - .530.
[9] The public health system includes public health agencies at state and local levels, health care providers, public safety agencies, human service and charity organizations, environmental agencies and organization, and a variety of related organizations. See Centers for Disease Control and Prevention, The Public Health System & the 10 Essential Public Health Services (Last Revised May 21, 2020), https://www.cdc.gov/publichealthgateway/publichealthservices/essentialhealthservices.html.
[10] Centers for Disease Control and Prevention and the U.S. Department of Health and Human Services, HIPAA Privacy Rule and Public Health (Page Converted Apr. 11, 2003), https://www.cdc.gov/mmwr/preview/mmwrhtml/m2e411a1.htm
[11] OCR, Guidance: Disclosures For Public Health Activities (Dec. 3, 2002, Revised Apr. 3, 2003), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/publichealth/publichealth.pdf.
[12] 45 C.F.R. §§ 160.201 - .205.
[13] Id. § 164.512.
[14] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82463 (Dec. 28, 2000) (codified at 45 C.F.R. pt. 164) (preamble).
[15] Id. at 82462.
[16] “Contrary” state laws are those that meet a two-prong test: (1) it would be impossible to comply with both the state and federal requirements; and (2) the provision of state law stands as “an obstacle to the accomplishment and execution” of the respective Privacy Rule. 45 C.F.R. at § 160.202.
[17] Id. § 160.203.
[18] Id.
[19] OCR, Guidance: Disclosures For Public Health Activities (Dec. 3, 2002, Revised Apr. 3, 2003), https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/publichealth/publichealth.pdf.
[20] 45 C.F.R. § 160.203(c).
[21] Id. § 160.204.
[22] 42 U.S.C. § 1320d–7(b).
[23] 45 C.F.R. § 164.512.
[24] Id. § 164.512(b)(1).
[25] Id.
[26] Id. at § 164.501 Definitions.
[27] Id.
[28] Id.
[29] Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. 59918, 60056 (Nov. 3, 1999) (proposed).
[30] Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462, 82525 (Dec. 28, 2000) (codified at 45 C.F.R. pt. 164) (preamble).
[31] Id. at § 164.512(b)(1).
[32] Standards for Privacy of Individually Identifiable Health Information, 64 Fed. Reg. at 59929.
[33] Id.
[34] Notification of Enforcement Discretion Under HIPAA To Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities in Response to COVID–19, Apr. 2, 2020, https://www.hhs.gov/hipaa/newsroom/index.html, (published 85 Fed. Reg. 19392 (Apr. 7, 2020)).
[35] Id.; see also 45 C.F.R. § 164.502(a)(3).
[36] 45 C.F.R. § 164.512(b)(3).
[37] Id.
[38] Id. § 164.512(b)(4).
[39] Id. § 164.512(b)(1)(v).
[40] Id. § 164.512(b)(v).
[41] Note this would not include family members of employees who receive care at workplace clinics. Id. § 164.512(b)(1)(v).
[42] Id. § 164.512(b)(1)(v)(C).
[43] Id. § 164.514.
[44] Id. § 164.514(3)(ii)(a).
[45] OCR, Guidance: COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities (Mar. 24, 2020), https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.
[46] 45 C.F.R. § 164.512(j).
[47] OCR, Guidance: COVID-19 and HIPAA: Disclosures to Law Enforcement, Paramedics, Other First Responders and Public Health Authorities (Mar. 24, 2020), https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf. See also 45 C.F.R. § 164.512(j).
[48] 45 C.F.R. § 164.512(j)(4).
[49] 45 C.F.R. § 160.203(c).