Healthcare entities are being faced with a growing number of challenges related to the virus SARS-CoV-2, or the disease caused by that virus, COVID-19. One of those challenges is the issue of how to apply the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), and when to share names or other identifying information of individuals infected with or exposed to the virus without violating that rule.

The U.S. Department of Health and Human Services (HHS) has issued a summary of the circumstances in which HIPAA’s Privacy Rule allows a covered entity to share that information with law enforcement, paramedics, and other first responders and public health authorities, without an individual’s explicit authorization.

The Privacy Rule applies to “covered entities.” Those include: Health Care Providers, Health Plans, and Health Care Clearing Houses.

Specific examples of Health Care Providers are:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

Health Plans include:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans’ health care programs.

Health Care Clearing Houses include entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

If, in fact, the entity at issue falls within the definition of “covered entity,” it is permitted to disclose the protected health information (PHI) of an individual infected with – or exposed to – COVID-19, with “law enforcement, paramedics, other first responders, and public health authorities” without explicit authorization from the affected individual, in certain circumstances. According to the HHS, those circumstances include:

  • When the disclosure is needed to provide treatment.
  • When the notification is required by law (i.e., reporting cases of infectious diseases to public health officials).
  • To notify a public health authority in order to prevent or control the spread of disease.
  • When first responders may be at risk of infection.
  • When disclosure to first responders is necessary to prevent or lessen a serious/imminent threat to a person or the public.
  • When responding to a request for PHI by a correctional institution/law enforcement official having lawful custody of an inmate or other individual.

Generally, a covered entity must make reasonable efforts to limit the amount of information disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure. Prior to making such disclosure, covered entities should consult other (state or local) applicable laws for any further restrictions on disclosures that may be applied outside of the HIPAA Privacy Rule.

The HHS notice – a link to which can be found here – provides examples of disclosures from various covered entities; it also provides a list of related resources related to the coronavirus and other types of disclosures. Add those to the list of resources for dealing with the current situation.