March 25, 2020
Health Care Alert
Author(s): Valerie Breslin Montague
OCR’s latest guidance summarizes ways health care providers may disclose information on COVID-19-impacted patients to EMTs and other first responders, law enforcement personnel and public health authorities,
As hospitals, skilled nursing facilities, physician practices, and other health care providers work to address the novel coronavirus (COVID-19) and treat those impacted or who may be impacted, they must simultaneously work in connection with the first responders assisting patients, public health authorities tracking and responding to the pandemic, and law enforcement officials, including those who may have custody of a patient. It is important to understand when these HIPAA-regulated individuals and entities are permitted to share patient information, when they are required to do so, and what limitations exist on disclosures of identifiable health information.
In a March 24, 2020, guidance document, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a reminder to covered entities and business associates as to the required and permissible disclosures under HIPAA that apply to sharing patient information with first responders, public health authorities, and law enforcement personnel. Unless a HIPAA exception applies, a patient must authorize the disclosure of his or her protected health information. However, there are a number of exceptions relevant to scenarios whereby a skilled nursing facility may disclose information regarding a patient with COVID-19 to a paramedic or other first responder, or a hospital may disclose similar patient data to law enforcement, or a physician clinic may identify patients testing positive for COVID-19 to public health authorities. In particular, some of the ways a HIPAA-regulated health care provider may disclose patient information without an authorization include:
A disclosure under this exception may include a hospital sharing a patient’s COVID-19 diagnosis with the warden of a correctional institution in order to ensure continued treatment for the inmate at issue and the health and safety of guards, other personnel, and inmates at the correctional institution.
As health care providers analyze patient information disclosures, they also must keep in mind whether there are any other federal or state law restrictions that limit the information that they can share. For example, certain subsets of a patient’s record may be specially protected under state law, such as mental health information or HIV/AIDS/sexually transmitted disease-related information, and substance use disorder information and genetic testing information is specially protected at the federal level. If a patient’s record contains any of these subsets of information, a provider should take care to ensure that a disclosure that includes this data is permissible. Also, hospitals, skilled nursing facilities, and other providers must take care to limit data disclosures (other than those required by law or for treatment purposes) to the minimum necessary to accomplish the purpose of the disclosure. For example, a provider likely will not need to transfer a patient’s mental health information or genetic test results to an EMT when informing that individual of a patient’s COVID-19 diagnosis.
It is important to note that, while other state data protection laws may apply more broadly, HIPAA only applies to covered entities and business associates. Persons or entities who do not fall within those categories are not subject to the HIPAA privacy protections and may be able to share data more freely.
The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.