The protections of the Health Insurance Portability and Accountability Act (HIPAA) privacy rules are not set aside during an emergency, such as during an outbreak of infectious disease or other emergency situations, according to a recent bulletin entitled, HIPAA Privacy and Novel Coronavirus, from the HHS’s Office for Civil Rights (OCR). The OCR provided the bulletin to ensure that HIPAA-covered entities and their business associates were aware of the ways that patient information may be shared under the HIPAA privacy rule in light of the Novel Coronavirus (COVID-19) outbreak.
“The HIPAA privacy rule protects the privacy of patients’ protected health information (PHI) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” said the OCR.
A group health plan must continue to apply administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of PHI. The bulletin notes that while HIPAA protects the privacy of PHI, it does not preclude the use and disclosure of the minimum amount of PHI necessary to treat a patient (the employee or dependent), to protect the nation’s public health, or to prevent a serious and imminent threat to the health and safety of a person or the public. However, note that all permitted disclosures of employee or dependent PHI are subject to the minimum necessary rule. According to the bulletin, “Covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”
SOURCE: WCI's HR AnswersNow portal ©2020 CCH Incorporated and its affiliates. All rights reserved.
Tags: Employers' Blog Posts