In new guidance, the HHS Office for Civil Rights (OCR) has authorized hospitals and other covered entities (CEs) that may be faced with demands from first responders and law enforcement to provide a list of patients who have tested positive for COVID-19.[1]
But whether the strategies offered—including to limit the disclosure to dispatchers only—are workable remain to be seen, particularly given how fraught the relationship between the police and caregivers can be. It was just three years ago that dramatic body camera video showed the handcuffing of a Utah nurse who refused to allow a police official to take blood from a patient with serious burns who later died.[2] (The nurse received a $500,000 settlement from the Salt Lake City police department and the University of Utah, which owns the hospital, and the officer was fired.)
In addition, Jeff Drummond, an attorney with decades of experience in HIPAA matters, tells RPP that the use a patient list, particularly when shared with law enforcement or firefighters, might be problematic and advises giving the guidance thoughtful consideration before implementation.
Titled “COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities,” the guidance, issued March 24, differs little from how disclosures to these groups have historically been interpreted by OCR.[3] Generally speaking, no patient authorization is required for sharing of protected health information (PHI) with public health entities and to protect against imminent danger, for example.
Where the guidance may break new ground—reflecting what one OCR official called “creative thinking” and “further steps” on the agency’s part—is in its recommendations about the use of lists of patients affected by COVID-19.
Speaking March 30 at the virtual Compliance Institute sponsored by RPP publisher the Health Care Compliance Association, Timothy Noonan, OCR deputy director for health information privacy, discussed the guidance and fleshed out some of the examples the agency offered.
Allowable Situations Outlined
The guidance is basically an elongated answer to one FAQ: “Does the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow a covered entity to share the name or other identifying information of an individual who has been infected with, or exposed to, the virus SARS-CoV-2, or the disease caused by the virus, Coronavirus Disease 2019 (COVID-19), with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization?”
The answer is yes, and that such sharing can be done “without the individual’s HIPAA authorization, in certain circumstances.” These include the following:
-
“When the disclosure is needed to provide treatment. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department. 45 C.F.R. § 164.502(a)(1)(ii) ; 45 C.F.R. § 164.506(c)(2) .
-
“When such notification is required by law. For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. 45 C.F.R. § 164.512(a) .
-
“To notify a public health authority in order to prevent or control spread of disease. For example, HIPAA permits a covered entity to disclose PHI to a public health (such as the Centers for Disease Control and Prevention (CDC), or state, tribal, local, and territorial public health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions. 45 C.F.R. § 164.512(b)(1)(i) ; see also 45 C.F.R. § 164.501 (providing the definition of “public health authority”).
-
“When first responders may be at risk of infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 C.F.R. § 164.512(b)(1)(iv) .
-
“When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. 45 C.F.R. § 164.512(j)(1) .”
The last two bullet points may represent the biggest changes and challenges that hospitals and others may face compared to disclosures they made pre-pandemic, and OCR explored them in more detail in two subsequent examples in the guidance.
