COVID-19 Crisis: OCR Publishes Allowable Disclosures of PHI to First Responders

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has made available additional  guidance regarding HIPAA and COVID-19, the disease caused by the 2019 Novel Coronavirus, SARS-CoV-2. The new guidance document goes through a range of examples of allowable disclosures of protected health information (PHI) by covered entities under the HIPAA Privacy Rule to ensure first responders and others receive PHI about those people exposed to SARS-CoV-2 or displaying symptoms of COVID-19.

The latest guidance document is in Q&A form and explains when covered entities are permitted to share PHI such as names and other identifying data to first responders, law enforcement officers, paramedics, and public health authorities without first seeking and receiving a HIPAA authorization.

The document makes it clear that under the HIPAA Privacy Rule, disclosures of PHI are permitted when the information is required to administer treatment, when a disclosure is required by HIPAA legislation, when first responders such as paramedics are at risk of contracting COVID-19 and need information to tackle infection, and when a disclosure could prevent or lessen a significant and current threat.

OCR also confirms that a disclosure of PHI is permitted when addressing to a request for PHI from a correctional institution or law enforcement official in lawful custody of an inmate or other individual, and PHI is required in order to administer healthcare services to the individual, to guarantee the health and safety of the individual or others in the institution, those required to move the individual, and when PHI is required to maintain safety, security, and good order in a correctional institution.

OCR confirms that a hospital is permitted to supply a list of names and addresses of all individuals known to have tested positive for COVID-19 to an EMS dispatch for use on a per-call basis. That data can then be used to ensure that any personnel attending an emergency at the patient’s location knows they must take extra precautions to ensure their own safety, including wearing personal protective equipment (PPE).

911 call center staff may request information in relation to a patient’s symptoms in order to determine whether there is a risk they have been infected with SARS-CoV-2. Information may then be sent to law enforcement officers and others responding to an incident at the person’s location to see to it they take steps to safeguard themselves.

In all of this scenarios, a covered entity must make reasonable attempts to limit the disclosed information to the minimum amount necessary to achieve the purpose for the disclosure.

Roger Severino, OCR Director said: “Our nation needs our first responders like never before and we must do all we can to assure their safety while they assure the safety of others. This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe.”

The guidance document can be found on the HHS website on this link (PDF).

HIPAA Violation Penalties

Most Common HIPAA Violations Causes