During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, the HHS Office for Civil Rights (OCR) has provided guidance that helps explain how the HIPAA Privacy Rule allows patient information to be shared in the outbreak of infectious disease and to assist patients in receiving the care they need.
The U.S. Department of Education and the Office for Civil Rights at the U.S. Department of Health and Human Services issued joint guidance addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to records maintained on students.
At times, health care providers need to share mental and behavioral health information to enhance patient treatment and to ensure the health and safety of the patient or others. Parents, friends, and other caregivers of individuals with a mental health condition or substance use disorder play an important role in supporting the patient's treatment, care coordination, and recovery. The HIPAA Rules are designed to protect the privacy of all of an individuals' identifiable health information and to ensure that health information is available when needed for treatment and other appropriate purposes. Given the sensitive nature of mental health and substance use disorder treatment information, OCR provides guidance addressing HIPAA protections, the obligations of covered health care providers, and the circumstances in which covered providers can share information—as applied to this context.
Researchers in medical and health-related disciplines rely on access to many sources of health information, from medical records and epidemiological databases to disease registries, hospital discharge records, and government compilations of vital and health statistics.
The Privacy Rule recognizes that the research community has legitimate needs to use, access, and disclose individually identifiable health information to carry out a wide range of health research protocols and projects. The Privacy Rule protects the privacy of such information when held by a covered entity but also provides ways in which researchers can access and use the information for research, subject to various conditions.
Protecting public health, including through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities, often requires access to or the reporting of the protected health information of individuals. This information is used to identify, monitor, and respond to disease, death, and disability among populations.
The Privacy Rule recognizes the legitimate need for public health authorities and certain others to have access to protected health information for public health purposes and the importance of public health reporting by covered entities to identify threats to the public and individuals. Thus, the Privacy Rule permits covered entities to disclose protected health information without authorization for specified public health purposes.
The Privacy Rule is carefully designed to protect the privacy of health information, while allowing important communications to occur. For example, the Rule permits the sharing of protected health information for emergency preparedness planning and response under a number of circumstances.
HHS has developed guidance materials addressing appropriate uses and disclosures of protected health information in emergency situations.
Health information technology (health IT) involves the exchange of health information in an electronic environment. Widespread use of health IT will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. It is imperative that the privacy and security of health information be ensured as this information is maintained and transmitted electronically.
The Privacy Rule's established baseline of privacy protections and individual rights with respect to individually identifiable health information support the use of health IT and provide important protections in this area. The Security Rule supports the adoption of new health information technologies while setting standards to ensure appropriate protection of electronic protected health information.
OCR offers guidance for developers and others seeking more information about how the HIPAA Rules might apply to health applications, as well as a health app developer portal with Health App Use Scenarios and an opportunity to engage with OCR on issues and concerns related to protecting health information privacy in mHealth design and development.