Privacy in the Time of Pandemics

Post Authored by Marvin Morazan

The current Coronavirus, or COVID-19, pandemic has seen significant changes to daily life, the closure of parks and trails, and an ongoing declaration of national emergency. Some of the invisible effects include its impact on personal privacy and the legal issues involved in declaring a national emergency for the pandemic.

Project Bioshield

The Project Bioshield Act was signed into law in 2004. It was designed to prepare the United States in the event of a biological, chemical, radiological, or nuclear attack and included provisions allowing the Department of Health and Human Services to modify certain HIPAA provisions. As a result, following the declaration of national emergency on March 13, 2020, HHS Secretary Alex Azar issued a limited waiver to certain HIPAA sanctions, aimed at improving data sharing and patient care.

Under normal circumstances, hospitals are required to obtain patients’ consent before disclosing certain medical information. Following Secretary Azar’s waiver, hospitals will not be penalized for failing to comply with requirements to obtain patients’ consent to speak with family members or friends involved in patient care, honor a request to opt-out of the facility directory, distribute a notice of privacy practices comply with patients’ right to request privacy restrictions and comply with patients’ rights to request confidential communications. This waiver went into effect on March 15 and will only apply to providers located in the emergency area defined in the public declaration.

Why is my data being shared?

Normally, patients’ privacy is paramount and there are harsh restrictions on sharing patient information without obtaining proper consent. During a pandemic of a novel virus with many unknowns, it is extremely important that healthcare services are able to pool their resources and freely share information for research and life-saving measures. Looking at the waiver itself, hospitals will not be penalized for failing to comply with provisions relating directly to sharing information. For example, hospitals will be able to share information related to patient care with family members or friends involved in care, without obtaining the patient’s consent beforehand.

These waivers are critical because healthcare providers are able to immediately share information with family members or friends involved in care; waiting for a patient’s consent could be devastating. HIPAA already allows data to be shared with public health authorities such as the CDC or a local health department to prevent or control diseases. but this waiver allows for additional data to be shared that would otherwise be prohibited.

Can I prevent this sharing?

Patients can’t realistically prevent a hospital from sharing their healthcare information if it is relevant to a family member or a friend caring for that patient. Secretary Azar’s waiver gives little recourse if a patient did not consent to have their information shared. However, disclosures to the media or others not involved in the patient’s care are still prohibited. Under the waiver, even when data is disclosed, it must be the minimum amount necessary required to accomplish healthcare workers’ purposes.

As a result, sharing these patients’ data is largely beneficial; further, most patients tend to allow their data to be shared when signing the intake forms at the hospital. When doctors and hospitals are able to share relevant treatment data, the quality of that treatment improves and updates the most current treatments being used on other patients. Especially during a pandemic, this rapid sharing of patient data is critical to prevent the spread of disease and help patients recover faster.

How long does the waiver apply?

The waiver was made effective on March 15, 2020, and will be in effect until the declaration of public emergency ends. When the declaration ends, all hospitals must immediately comply with the requirements of the Privacy Rule for any patient still under its care. It won’t be possible for the hospital to un-share any data that has already been shared. However, future data sharing would only be permitted after obtaining the patient’s consent. If patients are concerned about their data being shared after the emergency declaration ends, they should speak with their doctor or a hospital administrator and request documentation about their privacy.

No one knows how long the health crisis will last. But, by sharing information about treatments, doctors and hospitals will be able to provide a higher quality of care and find a solution as quickly as possible. For the time being, it’s important to stay home, stay safe, and stay healthy.

About the Author:

MarvinMarvin Morazan graduated from the University of the Pacific with a major in International Relations. He obtained his law degree from Loyola University Chicago, School of Law in 2019. In law school, Marvin was an Executive Editor on the Journal of Regulatory Compliance, a member of the Loyola ABA Negotiations Team, and was invited to be the only student at the Marketplace Risk Management Conference (2018) in San Francisco, California. 

Marvin is licensed to practice in the state of Illinois and is a member of the Illinois State Bar, Cook County Bar Association, Intellectual Property Law Association of Chicago, and the International Trademark Association. He is also a member of the Theta Chi fraternity.

Marvin joined Interactive Brokers in October 2019 and currently does work in financial compliance and enhanced due diligence. He also performs consulting on a variety of privacy law matters and enterprise risk management through his consulting firm – MGM Compliance Consulting.



Leave a Reply