OCR HIPAA Guidance For Getting PHI of COVID-19 Exposed Individuals to First Responders
Wednesday, March 25, 2020
COVID-19 Protected Health Information
Print Mail Download i

With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. To help clarify when PHI can be shared in these circumstances, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance relating to sharing PHI about individuals who have been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities.

The idea is to make clear when PHI can be given to first responders and others so they can take extra precautions or use personal protective equipment (PPE), and to remind covered entities to follow the “minimum necessary” rule in the process.

According to the guidance, the HIPAA Privacy Rule permits a covered entity to disclose PHI of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization, in certain circumstances, including the following:

  • To provide treatment. For example, a nurse in a skilled nursing facility can alert emergency medical transport personnel that the individual they are transporting to a hospital’s emergency department has COVID-19.

  • When required by law. An example is a hospital making a disclosure of positive COVID status pursuant to a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.

  • When first responders may be at risk for an infection. Covered entities authorized by law to notify persons as necessary in the conduct of a public health intervention or investigation may inform first responders who may be at risk of infection. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. Similarly, a covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use PPE.

  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. For example, a covered entity may, consistent with applicable law and standards of ethical conduct, disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.

These are just some of the examples in which PHI about an individual’s COVID-19 infection can be shared with first responders. The primary authority for these exceptions to the general rule of nondisclosure without an authorization is for treatment disclosures (45 CFR 164.502(a)(1)(ii)), legal requirements (45 CFR 164.502(a)(2)), and other purposes (45 CFR 164.512). Note, however, that unless the disclosure is required by law, for treatment purposes, or for certain other purposes, the covered entity must make reasonable efforts to limit the information used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

Remember also that state laws may be more stringent than HIPAA concerning uses and disclosures of PHI. Thus, covered entities should consult other applicable laws (e.g., state and local statutes and regulations) in their jurisdiction prior to using or making disclosures of individuals’ PHI, as such laws may place further restrictions on disclosures that would otherwise be permitted by HIPAA.

Jackson Lewis P.C. © 2024

Current Legal Analysis

More from Jackson Lewis P.C.

Pregnant Workers Fairness Act Final Regulations Released
by: Joseph J. Lynett , Katharine C. Weber
USCIS Issues Employment Authorization Procedures for Palestinians on Deferred Enforced Departure
by: Forrest G. Read IV
OSHA Proposes Expansion of Workplace Protections for Emergency Responders
by: Courtney M. Malveaux , Melanie L. Paul
Ninth Circuit Holds Warehouse Worker Qualifies as Transportation Worker Under FAA Exemption
by: Scott P. Jang
MSHA Issues Long Awaited Final Silica Rule
by: Karl F. Kumli
Labor Commissioner’s FAQ on Fast Food Minimum Wage
by: Laura A. Pierson-Scheinberg , Benjamin A. Tulis
New Study Shows Gen Z LGBTQIA+ Students, Graduates Value, Seek Out Inclusive Workplaces
by: Teresa Burke Wright
DHS Extends, Redesignates Temporary Protected Status for Ethiopia
by: Forrest G. Read IV
Privacy Versus Cyber – What is the Bigger Risk?
by: Joseph J. Lazzarotti
Top Five Labor Law Developments for March 2024
by: Jonathan J. Spitz , Richard F. Vitarelli

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins