While additional guidance is expected following enactment of the CARES Act, which in its current form passed by the U.S. Senate requires the Department of Health and Human Services (HHS) to issue guidance on information sharing from patient records during the COVID-19 public health emergency, on March 24, 2020, the HHS Office for Civil Rights (OCR) issued COVID-19 HIPAA guidance regarding disclosures of protected health information (PHI) to first responders and public health authorities. In this guidance, OCR reiterated how various COVID-19 related disclosures can be provided under the HIPAA Privacy Rule without patient authorization. Such disclosures include the following:

• Treatment purposes. For example, a nursing facility could disclose PHI about an individual with COVID-19 to paramedics providing treatment while transporting the patient to a hospital.
• Required by law. HIPAA allows covered entities to disclose PHI about a patient who tests positive for COVID-19 in accordance with any state law requiring the reporting of certain infectious diseases to public health officials.
• Notifying a public health authority to prevent or control the spread of disease. HIPAA permits PHI disclosures to a public health authority (e.g. the Centers for Disease Control and Prevention and state health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, including public health surveillance, investigations and interventions.
• Exposure to disease. A covered entity can notify a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading the disease if the covered entity is authorized by law to notify persons as necessary while conducting public health interventions or investigations. So, for example, a covered local health department could, in accordance with state law, disclose PHI to a first responder who may have come into contact with someone who tested positive for COVID-19.
• Preventing or lessening a serious and imminent threat to health and safety. HIPAA allows a covered entity to disclose PHI if it, in good faith, believes the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety or a person or the public and the disclosure is to a person reasonably able to prevent or lessen such threat, which may include the target of the threat. For example, a healthcare provider could disclose PHI about a COVID-19 positive individual to police, paramedics, social workers, or others charged with protecting the health and safety of the public if such disclosure is necessary to prevent or minimize the threat of exposure to such individuals in the performance of their duties.
• Responses to requests from correctional institutions or law enforcement. A covered entity can disclose COVID-19 related PHI requested by a correctional institution or law enforcement official having custody of an inmate or other individual if the facility or official represents the PHI is needed for: providing healthcare to the individual; the health and safety of the individual, officers and other employees of the institution; law enforcement on the premises of the correctional institution; or the administration of the safety, security and good order of the correctional institution. For example, a physician at a prison medical facility could share an inmate’s positive COVID-19 results with facility guards for the health and safety of all people within the facility.  

OCR also emphasized to covered entities that COVID-19 PHI disclosures must still meet HIPAA’s “minimum necessary” standard, unless such disclosures are for treatment purposes or required by law.

Please visit our COVID-19 Toolkit for all of Taft’s updates on the coronavirus.