On March 17, 2020, the Department of Health and Human Services, Office of Civil Rights (OCR) issued guidance related to how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities (Essential Providers).

Specifically, OCR points out that HIPAA permits disclosure of PHI related to COVID-19 without an individual’s authorization to Essential Providers in the following instances:

  1. The disclosure is necessary for treatment. 45 CFR 164.502(a)(1)(ii) allows Covered Entities to disclose PHI for “for treatment, payment, or health care operations.” In the OCR example, it explains that a covered skilled nursing facility would be permitted to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel, because they will provide treatment while transporting the individual to a hospital’s emergency department.
  2. The disclosure is required by law. 45 CFR 164.512(a) allows Covered Entities to disclose PHI if the disclosure is required by law and “the use or disclosure complies with and is limited to the relevant requirements of such law.” For example, OCR explains that a hospital can disclose that an individual tested positive for COVID-19 to the required public health official in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
  3. Disclosure to a public health authority to prevent or control the spread of disease. HIPAA also allows Covered Entities to disclose PHI to public health authorities who are “authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability.” 45 CFR 164.512(a). Thus, a Covered Entity would not need an individual’s authorization to disclose PHI to the CDC, because the CDC is authorized by federal law to receive such information to prevent and control the spread of COVID-19.
  4. Disclosure to first responders who may be at risk of infection. 45 CFR 164.512(b) allows a Covered Entity to disclose PHI to a first responder who may have been exposed to COVID-19 or may otherwise be at risk of contracting or spreading COVID-19, if the Covered Entity is authorized by law (e.g. a state law allowing it to notify persons as necessary) in the conduct of a public health intervention or investigation.  For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.
  5. Disclosure of PHI to first responders when necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. 45 CFR 164.512(j)(1) allows a Covered Entity to disclose PHI without the individual’s authorization, consistent with applicable laws, when it reasonably believes (i) the disclosure is necessary to prevent or lessen a serious threat and (ii) the individual receiving the information would be able to prevent or lessen the threat with such information. For example, HIPAA permits a covered entity to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.
  6. Responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, if the facility or official represents that the PHI is needed for:

a. providing health care to the individual;
b. the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
c. law enforcement on the premises of the correctional institution; or
d. the administration and maintenance of the safety, security, and good order of the correctional institution.

For example, HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility.

Notwithstanding the guidance above, OCR noted that covered entities should keep in mind the minimum necessary requirement and all disclosures shall be subject to reasonable efforts to limit the PHI being disclosed or used.

OCR provided helpful examples to illustrate real-world situations where the disclosures discussed above may become applicable.  The full guidance can be found here:  https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first-responders-508.pdf.