As hospitals, skilled nursing facilities, physician practices, and other health care providers work to address the novel coronavirus (COVID-19) and treat those impacted or who may be impacted, they must simultaneously work in connection with the first responders assisting patients, public health authorities tracking and responding to the pandemic, and law enforcement officials, including those who may have custody of a patient. It is important to understand when these HIPAA-regulated individuals and entities are permitted to share patient information, when they are required to do so, and what limitations exist on disclosures of identifiable health information.
In a March 24, 2020, guidance document, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) issued a reminder to covered entities and business associates as to the required and permissible disclosures under HIPAA that apply to sharing patient information with first responders, public health authorities, and law enforcement personnel. Unless a HIPAA exception applies, a patient must authorize the disclosure of his or her protected health information. However, there are a number of exceptions relevant to scenarios whereby a skilled nursing facility may disclose information regarding a patient with COVID-19 to a paramedic or other first responder, or a hospital may disclose similar patient data to law enforcement, or a physician clinic may identify patients testing positive for COVID-19 to public health authorities. In particular, some of the ways a HIPAA-regulated health care provider may disclose patient information without an authorization include:
- For treatment of the patient. For example, a skilled nursing facility may disclose information about a resident who has or may have COVID-19 with emergency medical transport (EMT) personnel who are transporting the resident to a hospital, or a hospital may disclose patient information to an EMT who is transferring a patient to another hospital. In addition, the OCR guidance states that a hospital or other covered entity may provide an emergency medical services (EMS) dispatch with a list of the names and addresses of patients that the hospital knows either tested positive for or received treatment for COVID-19. This disclosure is permissible in order to allow for the EMS dispatcher, on a per-call basis, to inform EMT personnel who are responding to a call at an identified patient’s residence, for example, to use personal protective equipment or provide tailored treatment to the relevant individual. OCR cautions that a patient list of this sort should not be shared publicly and that EMS dispatchers, to the extent regulated by HIPAA, should only share data on a patient-by-patient basis with EMT personnel and only when relevant to a particular transport request.
- To inform a first responder who may be at risk of COVID-19 infection. A hospital, skilled nursing facility, or other health care provider may disclose information regarding a COVID-19- impacted patient to a first responder who may have been exposed to the virus, or who may be at risk of contracting or spreading the virus, to the extent the clinician or facility is authorized by law to make such notification. For example, if state law permits a hospital to disclose information to persons who may have come into contact with a patient with COVID-19 in order to limit or prevent the spread of the virus, HIPAA would not hinder such disclosure.
- To avert a serious and imminent threat. A health care provider may disclose information about patients who tested positive for COVID-19 to those charged with protecting health and public safety, such as fire department personnel or child welfare workers, to prevent or lessen a serious and imminent threat to a person or the public. The health care provider would need to believe, in good faith, that the disclosure is necessary to prevent or lessen such a threat, and the disclosure must be made to one or more persons who are reasonably able to prevent or lessen the threat. Disclosures under this exception rely on the professional judgment of the applicable clinician as to whether a situation rises to the level of a threat to a person’s health or safety.
- To report or otherwise provide information for public health purposes. For example, as OCR notes in both its February bulletin  and its March 24, 2020, guidance, a hospital, skilled nursing facility, or other health care provider may disclose a patient’s information to the Centers for Disease Control and Prevention (CDC) to report actual or prospective cases of COVID-19. Providers may notify a foreign government agency if that agency is collaborating with an applicable U.S.-based public health authority. Health care providers also may provide information to a state or local health department when that agency is authorized by law to collect that information for the purpose of preventing or controlling disease.
- To respond to a request from a correctional institution or law enforcement official who has custody of an inmate or other individual. A hospital, skilled nursing facility, or other health care provider may provide health information related to a COVID-19 impacted individual if the institution or official requires the information:
- To provide health care to the individual
- For the health and safety of the individual, others present at a correctional institution, or persons transporting inmates
- For law enforcement purposes on the premises of the correctional institution
- For the correctional institution’s safety, security, and good order
A disclosure under this exception may include a hospital sharing a patient’s COVID-19 diagnosis with the warden of a correctional institution in order to ensure continued treatment for the inmate at issue and the health and safety of guards, other personnel, and inmates at the correctional institution.
As health care providers analyze patient information disclosures, they also must keep in mind whether there are any other federal or state law restrictions that limit the information that they can share. For example, certain subsets of a patient’s record may be specially protected under state law, such as mental health information or HIV/AIDS/sexually transmitted disease-related information, and substance use disorder information and genetic testing information is specially protected at the federal level. If a patient’s record contains any of these subsets of information, a provider should take care to ensure that a disclosure that includes this data is permissible. Also, hospitals, skilled nursing facilities, and other providers must take care to limit data disclosures (other than those required by law or for treatment purposes) to the minimum necessary to accomplish the purpose of the disclosure. For example, a provider likely will not need to transfer a patient’s mental health information or genetic test results to an EMT when informing that individual of a patient’s COVID-19 diagnosis.
It is important to note that, while other state data protection laws may apply more broadly, HIPAA only applies to covered entities and business associates. Persons or entities who do not fall within those categories are not subject to the HIPAA privacy protections and may be able to share data more freely.