COVID-19 and the HIPAA Privacy Rule: Asked and Answered

The severe acute respiratory syndrome coronavirus 2 (SARS-CoV-2), the virus that causes coronavirus disease 2019 (COVID-19), raises important and vexing privacy and security issues. Public health officials, law and policy makers, and members of the general public disagree, for example, regarding the amount and type of individually identifiable health data that should be collected, used, and disclosed for public health surveillance, public health investigation, and public health intervention. Stakeholders also diverge in their opinions regarding the sufficiency of federal and state data privacy and security laws. Some stakeholders believe that current statutes and regulations are sufficient to protect individually identifiable COVID-19 data whereas others contend that new privacy and security laws are needed. At a more basic level, stakeholders also vary in their understanding of the application of the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules) to particular uses and disclosures of COVID-19 data. This Article responds to the varying levels of public understanding of HIPAA by: (1) summarizing the HIPAA Rules and assessing the many waivers, notices of enforcement discretion, guidance documents, bulletins, frequently asked questions, and webinars (collectively Guidance) released by the federal Department of Health and Human Services (HHS) during the COVID-19 pandemic; (2) identifying and answering additional HIPAA Rules questions not addressed, or not sufficiently addressed, by the HHS Guidance; and (3) proposing amendments to HHS’s process for releasing guidance that are designed to improve the public’s understanding of the proper use and disclosure of infectious disease data during public health emergencies.