OCR issues HIPAA guidance on COVID-19 disclosures to law enforcement, first responders and public health authorities

On March 24, 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services issued guidance on when the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits covered entities to share protected health information (PHI) of an individual who is infected with or exposed to COVID-19 with law enforcement, first responders and public health authorities.

The Privacy Rule requires HIPAA covered entities (principally health care providers, which often include municipally-run emergency medical services, and health plans) to obtain authorization from an individual in order to disclose his or her protected health information (PHI) unless the disclosure fits within a specific Privacy Rule provision allowing disclosure without the individual’s authorization.  OCR’s new guidance provides the following as examples of permitted disclosures of an individual’s COVID-19 PHI to law enforcement, first responders and public health authorities:

  • as needed for treatment, such as disclosure to emergency medical transport personnel for treatment during transportation to a hospital’s emergency department;
  • notification as required by law, such as reporting positive COVID-19 test results to public health officials;
  • disclosure to a public health authority in order to prevent or control the spread of disease;
  • disclosure to a first responder who may have been exposed to COVID-19, or may be at risk of contracting or spreading COVID-19, if the covered entity (such as a county health department) is authorized by law to provide notification during a public health intervention or investigation;
  • disclosure to first responders, child welfare workers or others as necessary to prevent or lessen a serious and imminent threat to health and safety, such as disclosing PHI about individuals who have tested positive for COVID-19 if the covered entity believes in good faith that the disclosure is necessary to prevent or minimize the threat of imminent exposure;
  • disclosure of an inmate’s positive COVID-19 test results at the request of the correctional institution or related law enforcement official to provide health care or for health and safety of the inmate or others at the facility;
  • providing an EMS dispatch with a list of names and addresses of individuals who tested positive for COVID-19, or received treatment for COVID-19, for use on a per-call basis to inform EMS personnel so that they can take extra precautions or use personal protective equipment (PPE); or
  • screening questions by a 911 call center to identify potential cases of COVID-19 and providing the information to a police officer so that the officer can take extra precautions or use PPE to reduce the risk of exposure to COVID-19, limited to the minimum amount of information that the officer needs to take appropriate precautions to minimize the risk of exposure.

It is important to keep in mind that the Privacy Rule requires a covered entity or business associate to make reasonable efforts to limit its disclosure of PHI to the minimum necessary for the permitted purpose, unless the disclosure is for treatment or is required by law. A covered entity is allowed to rely on assurances from the permitted recipient that the requested PHI is the minimum necessary for the permitted purpose, if reliance is reasonable in the situation.

The Privacy Rule allows substantial flexibility for covered entities and business associates to disclose COVID-19 information for treatment, public health and related purposes. It is crucial, however, to ensure that the relevant Privacy Rule requirements for disclosure are satisfied and that each party (the disclosing covered entity or business associate and the recipient of the PHI) is following its policies and procedures.  Moreover, in some cases other federal or state laws may place additional restrictions on the use or disclosure of PHI.  For example, some providers face additional hurdles to disclosing substance use disorder (SUD) information that is protected under 42 CFR Part 2

For questions or assistance, contact an attorney listed below.

+