There is a whole new business of contact tracing which has emerged thanks to the pandemic and COVID-19.
As health care facilities and other companies implement new contact tracing tactics and initiatives, it’s important to highlight the liabilities of collecting, storing and managing personal health information.
Contact Tracing: Are Contract Tracers Subject to HIPAA?
HIPAA, which exists to protect the personal health information for individuals, extends to contract tracers in certain ways.
The HIPAA privacy rules apply to health plans, health care clearinghouses, and any health care provider (as well as business associates) that transmit health information in connection with transactions for which the government (HHS) has adopted standards under HIPAA. Most tracing companies do not appear to fit any of the categories subject to the HIPAA rules.
However, contact tracing is most effective when patients trust that their privacy will be protected. Therefore, just because most tracing companies may not be directly subject to HIPAA doesn’t negate the duty of care associated with a patient’s health information and privacy. Also, they may be subject to HIPAA if acting as a Business Associate.
Contact Tracing & Protected Health Information FAQ
Digital contact tracing has been helpful in tacking COVID-19-infected patients. These frequently asked questions can help if you are providing contact tracing or are a HIPAA covered entity dealing with infection tracing of this virus.
Q: Can Protected Health Information (PHI) be provided by the tracing company without consent?
A: Under HIPAA, health care providers can disclose to public health authorities who are authorized by law to receive PHI for preventing or controlling the spread of COVID-19 the PHI of individuals suspected of having contracted the virus. These providers include family, friends, caregivers, and law enforcement who can provide this information without a patient’s permission. To this extent, HIPAA defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. [Source: 45 CFR 164.512(j).]
Q: What if our tracing company handles PHI on behalf of health care entities?
A: If the contact tracing company signs a BAA it is subject to HIPAA. Any person or organization identified under HIPAA as a Business Associate must sign a BAA. Therefore, if the tracing company is working for a provider (such as a college’s medical clinic) and signs a BAA, then it would be subject to HIPAA.
Q: If clients of the tracing company ask for information about individuals who have no relationship to the tracing company clients (but who have been traced and who had been in contact with individuals who had contracted COVID-19 (the latter of whom do have a relationship with the clients), is the tracing company obligated to provide the clients with information about those individuals, potentially including protected health information about such individuals?
A: These individuals have an expectation of privacy, so the hiring entity should not have access to that information.
Q: If not subject to HIPAA, and operating in the State of Florida, could contact tracing companies still be subject to FIPA?
A: Yes, FIPA applies to any entity doing business in Florida that acquires or stores personal information. When the information includes name and social security number and other personal information, then it is broader than HIPAA.
Knowing Your Legal Rights
We represent contact tracing companies and other entities who seek professional help with understanding their HIPAA and FIPA responsibilities. Discover more about Contact Tracing for professionals.
Contact the law offices of Howell, Buchan & Strong; Attorneys at Law for your free consultation at any one of our locations:
Orlando (407) 717-1773 |Tallahassee (850) 877-7776 | Tampa (813) 833-6726 | Sarasota (941) 779-4348