Law enforcement, paramedics and other first responders are on the front line in the fight against COVID-19. Facing danger and risk is not new for first responders, but this particular risk, an invisible, rapidly spreading virus, is.
Normal HIPAA Rules Recognize Emergencies
As we’ve discussed every week during March, 2020, HIPAA remains in effect during a public health emergency. But there are important rules about emergencies, including infectious disease outbreaks, that deserve review. See our News page for more.
The HIPAA Privacy Rule allows the sharing of protected health information in certain circumstances that first responders face every day. These rules are not new or special, but are “normal uses and disclosures” under HIPAA. This blog summarizes the sections of OCR guidance that apply to first responders.
We have created training for First Responders and Public Health under COVID-19 that you can find here.
HIPAA Privacy Rule Permits Disclosures
The HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of someone who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without a HIPAA authorization, in certain circumstances:
- When the disclosure is needed for treatment.
- For example, a skilled nursing facility may discuss the PHI of patient who has COVID-19 to EMS personnel who will provide treatment during transport
- When notification is required by law.
- For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about a patient who tests positive for COVID-19 if state law requires the reporting of cases to public health officials.
- When first responders may be at risk of infection.
- A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law to notify persons as part of a public health intervention.
- For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.
- When the disclosure to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
- For example, HIPAA permits a covered entity, consistent with law and ethics, to disclose PHI about patients who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure is necessary to prevent or minimize the threat of imminent exposure to them.
- When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual,
- if the facility or official represents that the PHI is needed for:
- providing health care to the individual;
- the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
- law enforcement on the premises of the correctional institution; or
- the administration and maintenance of the safety, security, and good order of the correctional
- if the facility or official represents that the PHI is needed for:
-
- For example, HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility.
Minimum Necessary Standard Still Applies
Except when required by law, or for treatment disclosures, a covered entity must make reasonable efforts to limit the information used or disclosed to the “minimum necessary” to accomplish the purpose.
EMS Dispatch and 911 Call Centers are Permitted to Disclose PHI
For EMS Dispatch
Example 1: A hospital or public health department may provide a list of names and addresses of all persons known to have tested positive, or received treatment, for COVID-19 to an EMS dispatch center for use on a per-call basis. The EMS dispatch (even if it is a covered entity) is allowed to use the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment (PPE).
- Note, the list may not be publicly posted or provided to media, nor should it be distributed as compiled list to EMS personnel in the field. It should be provided to EMS dispatch who may pass on individual information on a per-call basis.
Example 2: A 911 call center may ask screening questions of all callers, for example, their temperature, or whether they have a cough or difficulty breathing, to identify potential COVID-19. If the call center is a HIPAA covered entity, the call center is permitted to inform a police officer being dispatched to the scene of the name, address, and screening results of the persons who may be encountered so that the officer can take extra precautions or use PPE to lessen the officer’s risk of exposure to COVID-19, even if the subject of the dispatch is for a non-medical situation. Again, the minimum necessary standard applies.
The HIPAA E-Tool® is Up to Date on COVID-19
This blog discussed “normal” uses and disclosures under HIPAA that existed before COVID-19, but apply now, especially for first responders, including law enforcement and EMS. Other elements of HIPAA have been modified, some temporary and some permanent due to the pandemic. Our HIPAA compliance program, The HIPAA E-Tool® has been modified to reflect all the recent changes.
For the foreseeable future this blog will continue to discuss how HIPAA works during the COVID-19 pandemic.
Please let us know if you have questions about real life situations you face. Send us your questions with the contact form – we will reply.