On March 24, 2020, the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) issued new HIPAA guidance to help providers and first responders in its efforts to combat the COVID-19 pandemic.

OCR’s guidance addresses when HIPAA allows disclosures without patient authorization of identifying health information to first responders – such as law enforcement and emergency medical services personnel – and public health authorities related to individuals infected with or exposed to COVID-19. OCR confirms such disclosures are permissible under HIPAA in certain circumstances, including:

  • If necessary to provide treatment, such as when a hospital coordinates with emergency medical services personnel regarding the transportation of a potential COVID-19 patient;
  • If required by law, such as situations in which confirmed diagnoses of communicable diseases like COVID-19 must be reported to state public health authorities;
  • If necessary to notify public health authorities to prevent or control the spread of disease, such as disclosures to the Centers for Disease Control and Prevention or to state departments of public health or local health boards authorized by law to receive or collect the information;
  • If first responders are at risk for infection, where authorized by state law (such as M.G.L. c. 111 § 111C in Massachusetts);
  • If disclosure is necessary to prevent or lessen a serious and imminent threat, and is made to someone who can lessen or prevent the threat; or
  • In response to requests from a correctional institution or law enforcement official with custody over the individual who is the subject of the disclosure, as long as the disclosure is necessary for providing health care to the individual, for the health and safety of those around the individual (including law enforcement and corrections officers), or for the administration of the correctional institution.

OCR further advises that such disclosures generally should adhere to HIPAA’s “minimum necessary” standard for uses and disclosures. OCR concludes the guidance by providing a few examples of scenarios involving the use or disclosure of personal health information (PHI) to or from first responders and others on the front lines of the COVID-19 response.

OCR’s guidance is well-timed as hospitals and first responders increase coordination to address the COVID-19 pandemic. Hospitals and other providers would be well-advised to continue monitoring guidance from OCR in support of public health efforts.

This post is also being shared on our Health Law Diagnosis blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.