The U.S. Department of Health and Human Services (HHS) issued a bulletin to remind covered entities and their business associates that the HIPAA Privacy Rule’s protections still apply during a public health emergency, such as the current coronavirus (COVID-19) outbreak. The bulletin also outlines the different ways that patient information may be shared under the Privacy Rule during an outbreak of infectious disease or another emergency situation.
- The Privacy Rule only applies to covered entities and their business associates, and not employers. Covered entities include health plans, most health care providers and health care clearinghouses.
- In general, medical information that is provided to an employer directly by an employee is not subject to the Privacy Rule, although other federal and state privacy restrictions may apply, including the ADA.
- HHS announced that it will not impose penalties for HIPAA noncompliance against health care providers that serve patients through everyday communication technologies (such as FaceTime or Skype) during the COVID-19 nationwide public health emergency.
Download the entire Bulletin.