Covered Entities May Disclose COVID-19-Related Protected Health Information—But Only Under Certain Conditions
Healthcare entities are facing a growing number of challenges related to the virus SARS-CoV-2 and the disease caused by that virus, COVID-19. Among the primary concerns is whether a specific healthcare entity is covered by the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA); and if so, how to avoid violating that rule when sharing names or other identifying information of individuals infected with or exposed to the virus.
The U.S. Department of Health and Human Services (HHS) has issued a summary of the circumstances in which HIPAA’s Privacy Rule allows a covered entity to share that information with law enforcement, paramedics, other first responders, and public health authorities, without an individual’s explicit authorization.
The Privacy Rule applies to “covered entities,” which includes health care providers, health plans, and health care clearing houses.
Specific examples of health care providers are:
- Nursing homes
However, the Privacy Rule only allows these covered entities to disclose an individual’s protected health information (PHI) if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
Health plans include:
- Health insurance companies
- Health maintenance organizations
- Employer-sponsored health plans
- Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs
Health care clearing houses include entities that process nonstandard health information they receive from another entity into a standard format (e.g., standard electronic format or data content), or vice versa.
The HHS clarified that if, in fact, the entity at issue falls within the definition of “covered entity,” it is permitted to disclose the PHI of an individual infected with—or exposed to—COVID-19, with “law enforcement, paramedics, other first responders, and public health authorities” without explicit authorization from the affected individual, in certain circumstances. According to the HHS, those circumstances include:
- When the disclosure is needed to provide treatment
- When the notification is required by law (i.e., reporting cases of infectious diseases to public health officials)
- To notify a public health authority in order to prevent or control the spread of disease
- When first responders may be at risk of infection
- When disclosure to first responders is necessary to prevent or lessen a serious/imminent threat to a person or the public
- When responding to a request for PHI by a correctional institution/law enforcement official having lawful custody of an inmate or other individual
Generally, a covered entity must make reasonable efforts to limit the amount of information disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure. According to the HHS guidance, prior to making such disclosure, covered entities “should consult other applicable laws (e.g., state and local statutes and regulations)” for any further restrictions on disclosures that may be applied outside of the HIPAA Privacy Rule.
The HHS notice provides examples of disclosures from various covered entities; it also provides a list of related resources related to the coronavirus and other types of disclosures. Covered entities may want to add those to the list of resources for dealing with the COVID-19 situation.