A National Registry of COVID-19 Patients: The Legal Implications

Posted on 06-16-2020

By: L. Stephen Bowers, Andrew F. Susko, and Daniel J. Ferhat, White and Williams LLP

Medical data companies are reportedly1 volunteering to join the fight against COVID-19 by offering to broadly share confidential, Health Insurance Portability and Accountability Act (HIPAA)-protected patient medical information they possess, including patient demographics, symptoms, testing results, treatment, and outcomes.

The creation of a national repository of health-related information and a potential registry of COVID-19 patients and patient information for use by government agencies and healthcare researchers would be without precedent. The privacy issues and concerns implicated by such sharing, while significant, are being considered in the greater context of a worldwide state of medical emergency and the need for medical and demographic data evaluation and research studies.

National Repository of COVID-19 Data

The data to be shared, almost without a doubt, would include protected health information about patients, including data that may have been collected prior to the relaxing of certain of HIPAA’s requirements. However, the Global Privacy Assembly (GPA) executive committee acknowledged that the challenge of slowing the outbreak “requires coordinated responses at national and global levels, including the sharing of personal information as necessary by organizations and governments, as well as across borders.” Understanding the way COVID-19 is being transmitted, the symptom development over time after initial exposure, the efficacy of specific treatments utilized and efforts to contain spread of the virus, the existence of area hot spots, and ultimately patient outcomes, can be analyzed through the use of protected medical and related data contained in provider medical records and insurance and government reimbursement documentation.

HIPAA

While HIPAA currently permits providers and healthcare researchers to use health data/information to assure quality of care within limited guidelines, the creation of a national bank of COVID-19-related medical data accessible to the government and healthcare scientists and researchers presents an entirely new circumstance challenging our existing laws and regulations. We are in uncharted territory for the businesses charged with holding and storing such data; the medical providers and insurance payers generating such data; and the government entities, scientists, and researchers looking to access and utilize such national data. And, while there is a demonstrated relaxing of federal regulatory enforcement and requirements, this does not offer protection against breach of contract actions or potential tort actions from patients or other interested parties asserting improvident use of specific health information. Business associates and covered entities who intend to rely upon the relaxed regulatory enforcement should be counseled to ensure that their compliance team considers contractual obligations, litigation risks, business issues, and coordination with operations, in addition to state and federal regulatory concerns.

Other Practical Considerations

Other practical considerations emanate from the creation of such a national repository of COVID-19 data and include the potential use of such data in evaluating the safety of having at least a portion of our workforce return, especially when a potential requirement of clean testing as a predicate for worker return is being discussed. Employers hopeful of soon seeing a return of at least a portion of their workers must also seek guidance and counsel to make sure they are acting responsibly and reasonably2 under the circumstances. While the medical community has experience in use of data research in the world of clinical trials, such trials require the advance consent of patients, who enter the trial agreeing that the information about their progress will be studied and researched. But, can business associates, healthcare providers, and insurers freely provide and exchange such patient medical information, even without some type of informed consent?

Legal Precedent

There is legal precedent for special consideration of the emergency circumstances presented by COVID-19. While securing and protecting patient medical records and sensitive health information is an elemental precept acknowledged by virtually everyone in civilized society, there is also a recognition among lawmakers, public officials, courts, and healthcare leaders that existing rules and regulations need to be relaxed in times of an emergency. Even before the COVID-19 pandemic, many states had existing statutes that granted healthcare workers immunity for ordinary negligence when providing medical care in aid of disaster services or a declared public health emergency.3

The use of an emergency doctrine to allow a relaxing/bending of existing rules finds support in our history and even in our current law. In the aftermath of the 9/11 attack, for example, several cleanup workers seeking redress for respiratory injuries sustained at the World Trade Center brought claims for negligence and wrongful death against the City of New York, its Port Authority, and various general contractors and private entities. As noted by the court, “for when an emergent disaster threatens society as a whole, the doctrine of salus populi supreme lex (the welfare of the people is the highest law) requires the government to act, enlisting persons, firms, and corporations in the private sector to eliminate the threat to society and restore society’s ability to function.”4

During the Civil War, President Abraham Lincoln suspended habeas corpus as an avenue of judicial review because of the emergency circumstances presented by the war. The war analogy has been invoked with COVID-19. Additionally, when healthcare systems are unable to meet patients’ needs at the level normally expected because of a public health crisis, providers may need to transition from prioritizing optimum care to every patient and reallocate resources with the objective of doing the most good for the most people. This latter concept, providing additional latitude in the healthcare decision maker, is known under the law as a crisis standard of care.

Conclusion

The use of national medical data, while essential as part of the fight against COVID-19, must be done with care and sensitivity to the unprecedented nature of the circumstances and the medical emergency which continues to unfold. Reasonable efforts to protect, where possible, the privacy of the individual patient, consistent with allowing the sharing of the information in the context of a national and indeed worldwide medical emergency, is the current direction of the federal regulatory environment. Specific evaluation and reasonable efforts of front-line healthcare providers, including telehealth providers, insurers, and their associate businesses should ultimately find protection under the law as the government and regulators address these issues.


L. Stephen Bowers (bowers@whiteandwilliams.com) is counsel at White and Williams LLP in the Healthcare Group. He serves a broad array of corporate clients and has notable experience guiding employers of all types, including private companies, government entities, nonprofits, and educational institutions through industry-specific employee compensation and benefits rules. Stephen advises employers on the design, operation, and regulation of executive compensation agreements and employee pension and healthcare plans. He is a trusted advisor with extensive subject-matter knowledge of health, privacy, and tax laws. Andrew F. Susko (suskoa@whiteandwilliams.com) is a partner at White and Williams LLP and a member of the Healthcare Group. He focuses his practice on complex litigation matters in a wide variety of businesses, including leading healthcare institutions, public electrical and natural gas utilities, equipment and tool manufacturers, and insurers. Andy has substantial courtroom experience, trying cases to jury verdict and through appeal in state and federal court. He concentrates his defense trial practice in healthcare and medical malpractice liability claims, utility catastrophic loss and contractual indemnity actions, construction accident claims, product liability actions, and life and disability claims, including cases where punitive damages and bad faith are pursued. Daniel J. Ferhat (ferhatd@whiteandwilliams.com) is a partner at White and Williams LLP and a member of the Healthcare Group. He focuses his practice on medical malpractice litigation and general liability matters. As a trial lawyer, he defends hospitals, physicians, nurses, and other healthcare practitioners against professional liability claims at the trial court and appellate court levels. Dan is called upon to defend a wide array of medical malpractice matters, including cases involving death, brain-damage, obstetrical complications, medication errors, orthopedic injuries, decubitus ulcers, and surgical complications. He also defends corporations and other commercial enterprises against premises liability lawsuits.


*This article was first published in the June 2020 issue of Pratt’s Privacy & Cybersecurity Law Report. All rights reserved. Visit the website to subscribe, https:/store.lexisnexis.com/.

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Data Security & Privacy > Industry Compliance > Healthcare > Articles

Related Content

For a discussion on the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), see

> HIPAA PRIVACY, SECURITY, BREACH NOTIFICATION, AND OTHER ADMINISTRATIVE SIMPLIFICATION RULES

RESEARCH PATH: Data Security & Privacy > Industry Compliance > Healthcare > Practice Notes

For a review of the guidance from the Department of Health and Human Services (HHS) on complying with HIPAA when sharing protected health information, see

> HHS ADDRESSES HIPAA PRIVACY AND SECURITY RULE ISSUES IN COMBATTING CORONAVIRUS

RESEARCH PATH: Employee Benefits & Executive Compensation > Trends & Insights > First Analysis > Articles

For information on the enforcement of the privacy rule, security rule, breach notification rule, and transaction rule under HIPAA, see

> HIPAA ENFORCEMENT AND PENALTIES

RESEARCH PATH: Employee Benefits & Executive Compensation > Health and Welfare Plans > HIPAA > Practice Notes

For an overview of practical guidance on COVID-19, see

> CORONAVIRUS (COVID-19) RESOURCE KIT

RESEARCH PATH: Data Security & Privacy > Trends & Insights > Practice Notes

1. https://www.wsj.com/articles/companies-seek-to-pool-medical-records-to-create-coronavirus-patient-registry-115863811022. https://www.reuters.com/article/us-health-coronavirus-walmart-lawsuit/estate-of-walmart-worker-who-died-from-covid-19-sues-for-wrongful-death-idUSKBN21P2AG. 3. See, e.g., in Pennsylvania, 35 Pa. Con. Stat. Ann. § 7101 et. seq. and in New Jersey, N.J. Stat. § 26:13-19, et. seq. 4. In re World Trade Ctr. Disaster Site Litig., 456 F. Supp. 2d 520, 550 (S.D.N.Y. 2006).