On Tuesday, March 24, 2020, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released guidance on scenarios in which it is permissible under HIPAA to share the name and other identifying information of an individual infected with COVID-19 with law enforcement, paramedics, other first responders and public health authorities without the individual’s authorization. Notably, these are not new waivers of existing HIPAA requirements or examples of OCR’s enforcement discretion, but OCR’s interpretation of what disclosures are permitted under the HIPAA Privacy Rule.
The various scenarios, which represent common situations encountered by health care providers and first responders since the start of the COVID-19 pandemic, demonstrate OCR’s continued goal to balance individual privacy with the health and safety of first responders and other health care personnel. These examples include, but are not limited to:
Using or disclosing PHI during the course of treatment
By way of example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department.
When first responders may be at a serious and imminent risk of infection
A covered entity may disclose PHI to a first responder (e.g., police officer, EMT) who may have been exposed to COVID-19 or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19 for purposes of preventing or controlling the spread of the virus.
Preventive measures to mitigate EMS personnel exposure
A covered entity, such as a hospital, may provide a non-public list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch (not individual EMS personnel) for use on a per-call basis. The EMS dispatch, even if it is a covered entity, would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call that the individual who is the subject of the emergency has COVID-19 so that emergency personnel can take extra precautions or use personal protective equipment.
OCR reminds covered entities that, except when required by law or for treatment disclosures, the “minimum necessary” restrictions still apply in all scenarios, and that HIPAA is still in force during this pandemic. While OCR’s examples all use the general term PHI, OCR does specifically list “name and other identifying information” in the guidance introduction, which is yet another indication that all covered entities should take care to avoid sharing with first responders anything but the minimum necessary information required by the specific situation.
This information is provided for informational purposes only and is not intended to constitute legal advice.