Skip to main content
Blog Post

COVID-19 and HIPAA: 3 things health care organizations should know

Risk & Analytics|Cyber Risk Management|Insurance Consulting and Technology
COVID 19 Coronavirus

By Kenneth White | March 20, 2020

Increases in data sharing during COVID-19 can make privacy breaches more likely. Health care organizations need to understand their legal responsibilities.

Unlock More

About our COVID-19 coverage

In our ongoing coverage of the COVID-19 outbreak, experts from across Willis Towers Watson share insight into what you need to know to manage your business and employees and reduce your risk.

COVID-19 was first reported on December 31, 2019, and declared a public health emergency by the World Health Organization (WHO) on January 30, 2020. On March 11, 2020, COVID-19 was declared a pandemic by the WHO. Over 150,000 cases have been confirmed (probably an understated number as most infections cause only mild to moderate symptoms and are not reported or tested) and over 4,000 deaths have occurred worldwide mostly in the country of origin, China.

With all the reporting of information to governments, intense media and social media scrutiny, as well as fear and paranoia related to COVID-19, the likelihood of privacy breaches rises considerably.

Such compromises of personal data could come in the form of a negligent disclosure, a hack of a system or an improper breach internally in a health system or outpatient office by negligent employees.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) protects against the unauthorized disclosure of protected health information (PHI). The “owners” of the information are covered entities as are the holders of the information and other business associates. The improper disclosure of PHI can subject the owners and other entities to certain penalties regardless of the cause of breach.

Though HIPAA does not provide for a private right to a cause of action for the breach, most states have enacted their own privacy statutes that allow those whose PHI has been improperly disclosed by any means to bring suit. Some states, such as California, do not require the plaintiff to prove the breach caused damage to recover.

Does HIPAA change with the COVID-19 outbreak?

On February 3, 2020, the U.S. Department of Health and Human Services Office of Civil Rights (which is charged with HIPAA enforcement) published a bulletin discussing the privacy rule in the context of COVID-19. The bulletin provides a reminder to all covered entities that HIPAA still controls disclosure of PHI even in the course of a public health emergency. It also describes several situations where “covered entities” might fail to maintain the letter and intent of the law and regulations related to PHI under the current stressful circumstances.

Regardless of requests from reporters, family and others – and certainly in the instance of employee misconduct – disclosure of PHI without consent of the patient is only allowed in very narrow circumstances: Generally, where it is necessary to treat the patient and consent cannot be obtained, when requested by authorized public health agencies (e.g., the Centers for Disease Control, state or local health department), at the direction of such public health agencies or to persons at risk of spreading or contracting the virus (but only then in limited fashion). Health care organizations' legal counsel should be contacted if any uncertainty exists.

What should health care organizations do now?

Improper disclosures, including hacking and unauthorized access to PHI by employees and agents that do not have access to the PHI under HIPAA, can and will subject health care entities to significant fines, penalties and civil liability under state/federal law. Many errors and omissions, directors’ and officers’ liability and cyber policies provide coverage for these breaches. However, a thorough review of your insurance coverage is necessary to include a stringent review of policies and procedures to ensure compliance with HIPAA and all state laws and regulations related to the disclosure of PHI during this time.

Each applicable policy of insurance must be reviewed to determine the extent, if any, of coverage for COVID-19. Coverage may vary depending on the jurisdiction and circumstances. For global client programs it is critical to consider all local operations and how policies may or may not include COVID-19 coverage.


The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal and/or other professional advisors. Some of the information in this publication may be compiled by third party sources we consider to be reliable, however we do not guarantee and are not responsible for the accuracy of such information. We assume no duty in contract, tort, or otherwise in connection with this publication and expressly disclaim, to the fullest extent permitted by law, any liability in connection with this publication.

Willis Towers Watson offers insurance-related services through its appropriately licensed entities in each jurisdiction in which it operates.


Kenneth White

NA Managed Care Practice and COE Leader
National Health Care Practice

Related Capabilities

Contact Us