Pandemic Doesn't Alter HIPAA Privacy, Public Welfare Balance

By Rachel Rose and Habib Ilahi
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Cybersecurity & Privacy newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (April 16, 2020, 6:25 PM EDT) --
Rachel Rose
Habib Ilahi
It is uncontested that COVID-19, the disease that stems from the novel coronavirus[1], is a communicable disease that was declared a pandemic by the World Health Organization on March 11, followed by a declaration of a national emergency by the U.S. president on March 13.[1]

As a result of the coronavirus, several issues have been raised in relation to an individual's privacy versus public disclosure of information related to coronavirus patients.

One law familiar to patients, medical professionals and lawyers alike is the Health Insurance Portability and Accountability Act of 1996.[2] HIPAA has a number of components ranging from the portability of health insurance to combating health care fraud to protecting protected health information through the privacy rule and the security rule.[3]

A concern that has been raised is the balancing of an individual's rights versus the public's access to data. The fundamental questions, which this article addresses, are as follows: (1) how does HIPAA apply during a declared emergency, whether it's the coronavirus or a natural disaster such as Hurricane Harvey; and (2) what information may be permissibly disclosed to the public? 

Thankfully, Congress and the U.S. Department of Health and Human Services anticipated situations in which certain information may be disclosed to promote the general welfare while balancing an individual's right to privacy and autonomy.

HIPAA and Emergencies

Americans value individual rights, including the right to privacy. Yet, our founding fathers clearly stated in the preamble of the U.S. Constitution that society, as a whole, must be considered.

We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.[4]

In considering the U.S. Constitution, Congress and HHS sought to balance the disclosure of protected health information in certain circumstances with an individual's right to privacy and the general welfare of American citizens. These exceptions to the privacy rule actually apply all the time.

And, in a February 2020 bulletin, HHS emphasized that:

The HIPAA Privacy Rule protects the privacy of patients' protected health information (PHI) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation's public health, and for other critical purposes.[5]

HHS went on to identify the parameters for sharing information without patient consent:

1. Treatment;[6]

2. Public health activities;[7]

a. A covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have novel coronavirus;

b. At the direction of a public health authority, to a foreign government agency;

c. To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations; and

3. Disclosures to prevent a serious and imminent threat.[8]

While HIPAA enables disclosures without authorization under certain circumstances, it requires a patient's consent before making a public disclosure about his or her condition. Stated another way, a hospital cannot have a rolling list posted on its website of all of the patients who have been diagnosed with and/or died from the coronavirus. That is not what disclosure to a public health authority means.

Further, the privacy rule contains a minimum necessary standard, which HHS has described as follows:

For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the "minimum necessary" to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.) Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose, when that reliance is reasonable under the circumstances. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Novel Coronavirus (2019-nCoV) is the minimum necessary for the public health purpose. In addition, internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.[9]

In closing the February 2020 bulletin, HHS emphasized that even in an emergency situation, covered entities and business associates, which includes subcontractor-business associates:

must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.[10]

HHS here underscores that while disclosures may be made, providing information about individual patients on a mass scale to the public at large is still not permissible, even during a pandemic.

Public Need for Disclosure of Protected Health Information

According to the National Institutes of Health:

The primary justification for protecting personal privacy is to protect the interests of individuals. In contrast, the primary justification for collecting personally identifiable health information for health research is to benefit society. But it is important to stress that privacy also has value at the societal level, because it permits complex activities, including research and public health activities to be carried out in ways that protect individuals' dignity.[11]

There are different ways that information can be requested from government sources. Notwithstanding recent suggestions to curtail protections on the disclosure of protected health information,[12] the Freedom of Information Act [13] places limits on the types of information that can be disclosed. FOIA contains nine exemptions and three exclusions.[14]

For example, exemption 6 enables federal agencies to withhold "personnel and medical files and similar files the disclosure of which would constitute clearly an unwarranted invasion of personal privacy."[15] Like HIPAA, FOIA (and other laws) also places restrictions on the disclosure of protected health information. 

Another common request for information made to the government is called a Touhy request, under U.S. ex rel. Touhy v. Ragen, which is similar in some ways to a FOIA request, but is associated with "subpoenas and other requests for official information for litigation purposes."[16] Often, government agencies, such as the Indian Health Service expressly state that the release of information must be consistent with the HIPAA privacy rule and the Privacy Act of 1974.[17]

Additionally, for those of us who litigate, Federal Rule of Civil Procedure 5.2 requires privacy protection for filings made with the court.[18] Attorneys and pro se litigants alike may include only the following:

(1) the last four digits of the social security number and taxpayer-identification number; (2) the year of the individual's birth; (3) the minor's initials; and (4) the last four digits of a financial account number.[19]

This is in keeping with HIPAA's privacy rule, even during times of emergency.

In terms of the data that the public is entitled to, the Centers for Disease Control and Prevention issued interim guidance and provides a map and statistics.[20] The public and health officials have access to daily trends. So, this begs the question: Why would someone be entitled to an individual's data, including all symptoms, etc., especially when it is aggregated and available on a variety of websites such as those of the CDC and Johns Hopkins?[21]

Additionally, partnerships between entities such as HCA Healthcare Inc. and Google Inc. for tracking purposes have been approved during the crisis.[22] While it is given that HIPAA provides for the deidentification of protected health information,[23] such deidentification is not necessary if the aggregate data is already out there. It seems difficult to justify the disclosure of protected health information when the aggregate is already available.


In our collective experience, getting individual information through either a FOIA or a Touhy request is difficult. And it should be. The right to privacy is inherent in the Constitution, and laws such as HIPAA include exceptions that balance an individual's right against the public's welfare. COVID-19 is no different.

As crippling as this pandemic is to the U.S. and the rest of the world, the data that the public needs to make informed decisions is already available through the CDC and the World Health Organization. Any erosion of disclosure protections afforded to patients regarding their protected health information would undermine the benefits to society. The laws and guidance have safeguards in place to balance these two competing interests of patient privacy and public welfare.

Rachel V. Rose is the principal of Rachel V. Rose — Attorney at Law PLLC. She teaches bioethics at Baylor College of Medicine.

Habib F. Ilahi is a partner at Stinson LLP and a former federal prosecutor with the Civil Frauds Section of the U.S. Department of Justice

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

[1] R.V. Rose, Individual rights and communicable diseases in light of the Coronavirus, Physicians Practice (Mar. 26, 2020),

[2] HIPAA, Pub. L. 104-191 (Aug. 21, 1996).

[3] See Omnibus Final Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013), which incorporates explanations and changes to the Privacy Rule and the Security Rule.

[4] Supra n. 1.

[5] Office for Civil Rights, U.S. Department of Health and Human Services, BULLETIN: HIPAA Privacy and Novel Coronavirus (Feb. 2020),

[6] 45 CFR §§ 164.502(a)(1)(ii), 164.506(c).

[7] 45 CFR §§ 164.501 and 164.512(b)(1)(i), (iv).

[8] 45 CFR § 164.512(j).

[9] Office for Civil Rights, U.S. Department of Health and Human Services, BULLETIN: HIPAA Privacy and Novel Coronavirus (Feb. 2020),

[10] Id.

[11] National Institutes of Health, The Value and Importance of Health Information Privacy, (last visited Apr. 15, 2020).

[12] A. Sumar, HIPAA Does Not Override Public Access to COVID-19 Data, Law 360 (Apr. 10, 2020),

[13] FOIA, 5 U.S.C. 522.

[14] Id.

[15] 5 U.S.C. 552(b)(6).

[16] U.S. ex rel. Touhy v. Ragen , 340 U.S. 462 (1951). U.S. Navy Judge Advocate General's Corps, Touhy Requests, (last visited Apr. 15, 2020).

[17] Indian Health Services, Indian Health Manual – Chapter 27 – Responding to Requests for IHS Employee's Testimony or IHS Documents in Proceedings where the United States is not a Party, (last visited Apr. 15, 2020). See also, U.S. Department of Justice, Privacy Act of 1974, (last visited Apr. 15, 2020).

[18] Fed. R. Civ. P. 5.2, (last visited Apr. 15, 2020).

[19] Id. See also (last visited Apr. 15, 2020).

[20] Centers for Disease Control and Prevention, Interim Guidance: Public Health Communicators Get Your Community Ready for Coronavirus Disease 2019 (COVID-19),

[21] Id. See also (last visited Apr. 15, 2020).

[22] See (Apr. 9, 2020).

[23] HHS, Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, (last visited Apr. 15, 2020).

For a reprint of this article, please contact

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!