On March 24, 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services issued guidance on how HIPAA covered entities may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including:
- When the disclosure is needed
to provide treatment.
For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital's emergency department. - When such notification is
required by law.
For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. - To notify a public health
authority in order to prevent or control spread of
disease.
For example, HIPAA permits a covered entity to disclose PHI to a public health authority (such as the CDC), or state, tribal, local, and territorial public health departments that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions. - When first responders may be
at risk of infection.
A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. " - When the disclosure of PHI to
first responders is necessary to prevent or lessen a serious and
imminent threat to the health and safety of a person or the
public.
A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat.
For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. - When responding to a request
for PHI by a correctional institution or law enforcement official
having lawful custody of an inmate or other individual, if the
facility or official represents that the PHI is needed
for:
- providing health care to the individual;
- the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
- law enforcement on the premises of the correctional institution; or
- the administration and maintenance of
the safety, security, and good order of the correctional
institution.
For example, HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate's positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility.
This guidance clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the "minimum necessary" to accomplish the purpose for the disclosure."
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
