On March 24, 2020, the U.S. Department for Health and Human Services, Office for Civil Rights (OCR) released guidance on disclosures of protected health information (PHI) to law enforcement, paramedics, other first responders, and public health authorities under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). The guidance, which is available here, confirms that while PHI may be disclosed to treat or prevent the spread of COVID-19, the majority of HIPAA’s restrictions on the disclosure of PHI remain in effect.
OCR, the office responsible for enforcing HIPAA, reiterated that the HIPAA Privacy Rule allows covered entities to share the name and other identifying information of an individual infected with or exposed to COVID-19 with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization. However, such disclosures are limited to certain factual scenarios. The scenarios include the following: when the disclosure is needed to provide treatment to the individual, when such notification is required by law, including state law, or to notify a public health authority in order to prevent or control spread of disease.
For example, a covered entity can disclose PHI to a first responder who has been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by state law to make such a disclosure. Many, but not all states, allow notifications in conjunction with public health interventions or investigations. Covered entities can also disclose PHI to prevent or lessen a serious and imminent threat to a person or the public when such disclosure is made to someone the covered entity reasonably believes can prevent or lessen the threat. This may include notification to those charged with protecting the health or safety of the public so long as the covered entity has a good faith belief that the disclosure of PHI is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.
Importantly, a covered entity must still make reasonable efforts to comply with the “minimum necessary” standard under HIPAA, except when required by law or for treatment-related disclosures. This requires the covered entity to disclose only an amount of PHI reasonably necessary to achieve the intended purpose.
For questions regarding COVID-19-related disclosures of PHI under HIPAA or to see if your state’s laws allow for disclosure, please contact the MMM Healthcare Group.