HIPAA Rights: Is COVID-19 a Challenge to Privacy?

In light of the coronavirus pandemic, the Office of Civil Rights has effectively commissioned a paper trail that traces a tested individual's health status across various areas of their life. This article discusses findings from The National Law Review that explore whether certain aspects of The CARES Act violates people's right to privacy and even the constitution. It asks if the waiving of vital aspects of HIPAA regulations as a result of COVID-19 could have repercussions for the public. HIPAA exists to protect privacy and prevent organizations from commodifying health care.   

The HIPAA Revolution in Privacy

In 1996, the Health Care Insurance Portability and Accountability Act outlined security, privacy and standardization requirements for personal health information. It imposed rules to limit the disclosure and use of people's PHI without the individual's prior permission. The privacy regulations established a set of fundamental rights regarding people's sensitive health care information.

In the furor surrounding the COVID-19 outbreak, there are new incentives for releasing PHI in the name of coronavirus  but could these new powers be abused? 

Guidance From the Department of Health and Human Services

The OCR released a bulletin that reminded covered entities of their obligations under HIPAA, given the pandemic. They stated that it's permissible to disclose PHI with the patient's permission if it's necessary for treatment, care coordination and care management. Those covered under the rulings also have permission to release PHI without authorization to the following entities:

  • Public health authorities, such as local health departments or the CDC
  • Foreign government agencies if directed by any of the above
  • Individuals who are at risk of spreading or contracting a disease, when authorized by law
  • People involved in a patient's care who have either received verbal permission to do so or in the case that the patient is unresponsive and a health care professional deems disclosure to be in their best interests
  • Anyone as required to decrease an imminent or serious threat to health and safety

These surprisingly vague guidelines have been deemed by some individuals and organizations to be a potential breach of the constitution. 

The Constitution and Privacy

The constitution doesn't give the public a right to privacy. Instead, the courts have extrapolated privacy laws from the clauses within the first, third, fourth, fifth and 14th amendment of the constitution. As such, the public can expect a certain level of protection against invasive actions from the governments. 

In 1905, the Jacobson v. Commonwealth of Massachusetts case set a precedent for the type of violations we potentially see after COVID-19. A law was passed that dictated that the state could enforce vaccination and revaccination against smallpox in the name of public health and safety. Cambridge deemed the prevention of the spread of the disease as more significant than an individual's constitutional right to privacy.  

What Is The CARES Act?

The Cares Act seems to define that releasing PHI is at risk of becoming normalized. One part of the act the Pandemic Unemployment Assistance  offers benefits to people who aren't entitled to standard Unemployment Compensation. They provide this benefit in the following circumstances:

  1. The person has a diagnosis, or they're experiencing symptoms of, COVID-19 and are seeking health care services
  2. Someone else in an individual's household has a COVID-19 diagnosis
  3. An individual is providing care to a family member or someone in their household with COVID-19
  4. They aren't able to work because they've been told to self-isolate as a result of contact with an infected person
  5. If someone was supposed to start a new job and they've been unable to as a direct result of the coronavirus pandemic
  6. When a person becomes the head of their household as a result of coronavirus-related bereavement
  7. Someone has had to quit their job because they couldn't perform their duties as a result of COVID-19
  8. If a person's place of employment has closed because of coronavirus.

In addition to these eight stipulations, The CARES Act provides benefits in 68 incidences that permit them to apply for compensation. While these encourage the public to report on their health status, it has also opened a can of worms. Anyone who knows the identity of an individual who has tested positive can capitalize on their diagnosis. 


The additional legislation has watered down HIIPA's privacy rule. Previously there was a mandate for the universal privacy of a patient's PHI data, which has all but dissolved as a result of COVID-19.  As far as the HHS is concerned, however, information is fuel for the overall provision of health care and sharing it is necessary during a pandemic. 

Have There Been Any HIPAA Violations Since the Coronavirus Outbreak?

Before the OCR bulletin, a man from New Jersey's health status was widely reported in the media and by the Health Commissioner himself. The entire journey of his illness, through to his unfortunate death, was given to the press under the guise that it was justified because he was the first COVID-19-related death in the state. However, prior to the pandemic, this gentleman's privacy would have been protected under HIPAA.

The West Coast has taken a much more cautious approach, tentatively holding information back in case it insights paranoia or attaches a stigma to individual members in a community. As such, the public information office in the Bay Area hasn't released the official number of cases in different cities. This is to prevent making individuals or communities more easily identifiable. 

Does COVID-19 Justify Suspending HIPAA Regulations?

Since the introduction of HIPAA, health information that makes an individual personally identifiable was explicitly protected. However, COVID-19 has created loopholes in the privacy aspect of HIPAA's function, which leaves people open to exploitation. As far as the OCR is concerned, protecting the public from the pandemic overrides certain instances of their rights to privacy. We conclude that this legislation requires reassessment, and in the meantime, health care professionals should continue to exercise proper judgment concerning PHI. 

If you or your team requires HIPAA training, visit the HIPAA Exams website today and browse our selection of compliance training modules.