COVID: Office for Civil Rights Issues Guidance on How Covered Entities May Disclose PHI About an Individual Infected/Exposed to COVID-19

Written by Bob Coffield, Flahety Sensabaugh Bonasso PLLC

On March 24, 2020, the Office for Civil Rights (OCR), U.S Department of Health and Human Services issued the following guidance document related to the ongoing COVID crisis, COVID-19 and HIPAA: Disclosures to law enforcement, paramedics,other first responders and public health authorities.

The OCR guidance indicates that covered entities (hospitals, physicians, long term care facilities, home health agencies, and other providers) may disclose protected health information (PHI) about an individual who has been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities in compliance with the Health Insurance Portability and Accountability Act of 1996 under the Privacy Rule  (HIPAA). The PHI can be disclosed by the covered entity without first obtaining the individual's HIPAA authorization. 

The guidance explains the circumstances under which a covered entity may disclose PHI such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples including:

• When needed to provide treatment;
• When required by law;
• When first responders may be at risk for an infection; and
• When disclosure is necessary to prevent or lessen a serious and imminent threat.

This guidance clarifies the regulatory permissions that covered entities may use to disclose PHI to first responders and others so they can take extra precautions or use personal protective equipment. The guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the "minimum necessary" to accomplish the purpose for the disclosure. 

Examples outlined in the guidance include the following: 

• HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(2).

• HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. 45 CFR 164.512(a). 

• HIPAA permits a covered entity to disclose PHI to a public health authority (such as the Centers for Disease Control and Prevention (CDC), or state, tribal, local, and territorial public health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions. 45 CFR 164.512(b)(1)(i); see also 45 CFR 164.501 (providing the definition of “public health authority”).

• HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).

• HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. 45 CFR 164.512(j)(1).

• HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility. 45 CFR 164.512(k)(5).

• A covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment (PPE). Under this example, a 911 call center that is a covered entity should only disclose the minimum amount of information that the officer needs to take appropriate precautions to minimize the risk of exposure. Depending on the circumstances, the minimum necessary PHI may include, for example, an individual’s name and the result of the screening.

For more information on HIPAA and COVID-19, see OCR's February 2020 Bulletin, Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPAA Privacy and Novel Coronavirus.

UPDATE (3/30/2020): 

Following is additional HIPAA privacy related flexibility and guidance issued by the Office for Civil Rights (OCR):

• OCR Issues Guidance on Telehealth Remote Communications Following Its Notification of Enforcement Discretion, March 20, 2020. OCR’s Notice of Enforcement Discretion allowing providers to serve patients where they are through commonly used apps like FaceTime, Skype, and Zoom to provide telehealth remote communications.

• Office for Civil Rights, U.S. Department of Health and Human Services BULLETIN: HIPAA Privacy and Novel Coronaviris, February 2020. Guidance on how health care providers can share information with the CDC, family members of patients, and others, to help address the COVID-19 emergency. 

MSBCBS of TN Settles HIPAA/HITECH Violation for $1.5M

The HHS Office for Civil Rights (OCR) announced a settlement of $1.5M with Blue Cross Blue Shield of Tennessee (BCBST) relating to potential violations under the HIPAA Privacy and Security Rules. According to the OCR press release, the enforcement action by OCR is the first reported as resulting from a breach report required under the new Breach Notification Rule implemented as a result of the HITECH provisions of HIPAA.

The breach involved 57 unencrypted computer hard drives that were stolen from a facility leased by BCBST in Tennessee. The hard drives contained protected health information of approximately 1 million individuals. The breach was reported by BCBST to OCR under the HITECH provisions and regulations that require reporting of potential breaches. The press release indicates that OCR’s investigation found that BCBST failed to implement appropriate administrative safeguards to adequately protect information remaining at the leased facility by not performing the required security evaluation in response to operational changes. In addition, the investigation showed a failure to implement appropriate physical safeguards by not having adequate facility access controls; both of these safeguards are required by the HIPAA Security Rule.

For more information check out the HHS press release "HHS settles HIPAA case with BCBST for $1.5 million" which includes a link to the HHS Resolution Agreement entered into between OCR and BCBST.

HIPAA/HITECH Audits: OCR Program to Audit 150 Covered Entities

Today the Office for Civil Right (OCR) announced details of a pilot program to perform up to 150 audits of covered entities to assess privacy and security compliance under HIPAA. OCR will be conducting the audits between November 2011 and December 2012.

The days of waiting for HIPAA privacy and security enforcement activities are over. The announcement of these planned audits will get the attention of health care providers who have failed to focus on HIPAA privacy and security compliance efforts. The announcement will remind all health care providers to maintain an active, current HIPAA privacy and security compliance program.

OCR provides more detail on the audit program on the OCR HIPAA Audit Program page, including this description of the program objectives:

The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.

The OCR HIPAA Audit Program page also provides detail on when the audits will begin, who will be audited, how the audit process will work, and what will happen after the audit. The information indicates that they will select a broad range of covered entities for the first round of audits and that business associates will be included in future audits.

OCR provides the graphic below to help describe how the audits will be performed. Covered entities will be selected, notified, and asked to provide documentation of privacy and security compliance efforts within 10 business days. An onsite visit will occur and interviews will be performed. A draft report will be provided to the covered entity and there will be a procedure for the covered entity to discuss the areas of concern raised in the audit and describe any corrective action they may implement.



 The HIPAA audits are a requirement under the American Recovery and Reinvestment Act of 2009 (Section 13411). HHS awarded to KPMG a $9 million dollar contract earlier this year to assist OCR with the audits.