OCR Guidance on COVID-19 and HIPAA Disclosures
Office for Civil Rights Guidance on COVID-19 and HIPAA disclosures to law enforcement, paramedics, other first responders, and public health authorities
by Kathy Lester, J.D., M.P.H.
On March 24, the Office for Civil Rights (OCR) released guidance clarifying that any covered entity may share the name or other identifying information of an individual who has been infected with, or exposed to, COVID-19 with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization. This clarification allows ground ambulance entities and their personnel to share the information consistent with the guidance. It also allows other covered entities such as hospitals, physicians to share the information with ground ambulance entities and their personnel. Finally, there are no HIPAA restrictions on non-covered entities, such as law enforcement, families, public health departments, and 911 call centers (not otherwise covered entities), from sharing the information. There may be State confidentiality laws that apply as well, and the AAA encourages ground ambulance entities to review the laws in the States in which they operate.
The authority to share this information is in the existing HIPAA regulation – this is not a waiver or a change in the current law. OCR highlights the current authority in the guidance.
- Disclosure of PHI pursuant to treatment (45 C.F.R. § 164.506(c)(2)). Covered entities may disclose PHI to another covered entity for purposes of treatment, payment, or health care operations. The guidance provides the example of a skilled nursing facility (SNF) disclosing PHI about a COVID-19 positive individual to emergency transport personnel who will be treating a patient during the transport of the individual to a hospital emergency department. This is an example and not the only scenario to which the disclosure policy applies.
- Disclosures required by law (45 C.F.R. § 164.512(a)). Covered entities may disclose PHI when such disclosure is required by law. The guidance provides the example of a hospital disclosing PHI about a COVID-19 positive individual to public health officials when such a disclosure is required by state law. Again, this is an example and not the only scenario to which the disclosure policy applies.
- Disclosure to public health authorities (45 C.F.R. §§ 164.512(b)(1) & 164.501 (definition of public health authority). Covered entities may disclose PHI about a COVID-19 positive individual to a public health authority that is authorized by law to collect or receive such information for the purpose of controlling disease, injury, or disability. The purposes include public health surveillance, public health investigations, and public health interventions. Examples of public health authorities include the Centers for Disease Control and Prevention and state, tribal, local, and territorial public health departments).
- Disclosures when risk of infection to a person (45 C.F.R. § 512(b)(1)(iv)). Covered entities or public health authority may disclose to a person – including first responders – who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation. The guidance provides the example of a county health department disclosing such information to a police office to prevent or control the spread of COVID-19. This authority would also apply to ground ambulance personnel, even though the example does not reference them specifically.
- Disclosures to prevent or lessen a serious and imminent threat to the health and safety of a person or the public (45 C.F.R. § 164.512(j)(1)). Covered entities may disclose PHI to a person or the public to prevent or lessen a serious and imminent threat to the health and safety of a person or the public when the disclosure is made to someone the person making the disclosure believes that doing so will prevent or lessen the threat. The guidance provides an example of disclosing COVID-19 status to firefighters, child welfare workers, mental health crisis personnel, or others – which would include ground ambulance personnel as well. The covered entity must believe in good faith that the disclosure is necessary to prevent or minimize the threat of imminent disclosure to the person or public.
- Disclosure to a correctional institution or law enforcement having lawful custody of an inmate or other individual under certain circumstances (45 C.F.R. § 164.512(k)(5)). Covered entities may disclose PHI related to an inmate’s positive COVID-19 status under the following circumstances:
- Providing health care to the individual;
- The health and safety of the individual, other inmates, officers, employees, and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
- Law enforcement on the premises of the correctional institution; or
- The administration and maintenance of the safety, security, and good order of the correctional institution.
The guidance provides the example of a physician at a medical facility sharing an inmate’s positive COVID-19 status with correctional guards.
For all of these disclosures, with the exception of those that are required by law or for the purpose of treatment, the covered entity must provide the minimum amount of information necessary to accomplish the purpose. For example, the guidance states that a hospital should not distribute a list of individuals who are COVID-19 positive or suspected to have the virus to EMS personnel, but rather disclose the information on a case-by-case basis about the specific patient being treated. Similarly, a 911 call center that is a covered entity may provide such information to a police office or similar personnel being dispatched to the scene to allow the responder to take the necessary precautions.
The guidance also provides additional examples that reference specific types of covered entities, but these are just examples. The laws apply to all covered entities and not just those highlighted in the examples.