On Tuesday, March 24, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on how covered entities may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule.
The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including:
- When needed to provide treatment;
- When required by law;
- When first responders may be at risk for an infection; and
- When disclosure is necessary to prevent or lessen a serious and imminent threat.
This guidance clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they will know to take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.
“Our nation needs our first responders like never before and we must do all we can to assure their safety while they assure the safety of others,” said Roger Severino, OCR Director. “This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe,” added Severino.
The guidance may be found here.