COVID-19: FAQs on Health Privacy

Has the U.S. Department of Health Services (HHS), Office of Civil Rights (OCR), the federal agency that regulates HIPAA compliance, waived any HIPAA requirements during the COVID-19 pandemic?

Yes. The waiver, announced March 16, 2020, relaxes some HIPAA regulations about using and disclosing protected health information to improve data sharing and patient care during this public health emergency. For example, certain sanctions and penalties from noncompliance with certain provisions of the HIPAA privacy regulations for hospitals that have disaster protocols in operation were waived.

In addition, in February 2020, HHS OCR released a bulletin, “HIPAA Privacy and Novel Coronavirus” to ensure that HIPAA-covered entities and their business associates are aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency situation, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency. 

Has OCR offered any relief for providers that are serving patients remotely through telehealth services to lessen or prevent the spread of COVID-19?

On March 17, 2020, the HHS Office for Civil Rights (OCR) issued a notification of enforcement discretion for telehealth remote communications during the COVID-19 public health emergency. In the notice, OCR recognized that some of the remote communication technologies that providers use to connect with patients to provide telehealth services may not be fully compliant with HIPAA. OCR stated that they will exercise enforcement discretion by not imposing any penalties for noncompliance with regulatory requirements under HIPAA in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.

This will allow health care providers to offer telehealth services to patients using widely available communications technology, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, without regard to whether the technology meets HIPAA requirements or whether the health care provider has a business associate agreement with the vendor.

OCR noted in its announcement that the enforcement discretion applies to all telehealth services rendered during this time, regardless of whether such telehealth services are specifically related to the diagnosis and treatment of COVID-19.

On March 20, 2020, OCR issued additional guidance in FAQs on Telehealth Remote Communications following its notification of enforcement discretion.

Can local health departments share information, such as identification of residents with COVID-19 positive test results, with their dispatch and EMS?

Local health departments may share limited information with their dispatch and EMS.

On March 24, 2020, U.S. Department of Health and Human Services, Office for Civil Rights (OCR), issued guidance, “COVID-19: Disclosures to law enforcement, paramedics, other first responders and public health authorities,” clarifying when a covered entity can provide the name or other identifying information of an individual who has been diagnosed or exposed to COVID-19, with law enforcement, paramedics, other first responders without an individual’s authorization.

Per OCR guidance, HIPAA permits covered entities’ uses and disclosures of health information for public health activities to improve public health and safety, 45 CFR § 164.512(b). Disclosures are also allowed for preventing or lessening serious and imminent threats when covered entities disclose PHI that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, and when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat), 45 CFR § 164.512(j). So, certain disclosures may be lawful, such as disclosures made to warn others who might be at risk of contracting or spreading a disease or condition. In addition, OCR has confirmed that health information may be disclosed for treatment purposes to emergency medical transport personnel who will provide treatment to individuals while transporting patients to the emergency department. But even then, the information is limited under the law to only what is deemed “minimum necessary.”

Public health departments must also comply with state laws regarding confidentiality of information. Wisconsin Stat. § 146.82(5) allows the disclosure or re-disclosure of information received from a patient health care record in certain circumstances: Pursuant to the patient’s informed consent for the re-disclosure, by court order, or if the re-disclosure is limited to the purpose for which the patient health care record was initially received (for example, the preservation of public health.). In addition, Wis. Stat. § 252.03(2) indicates that local health officers may do what is reasonable and necessary for the prevention and suppression of disease.

In the time of a public health emergency, what information can facilities share with residents of their communities regarding exposure to COVID-19?

Limited health information can be shared under this scenario, under both the HIPAA Privacy Rule and Wisconsin law. In February, “HIPAA Privacy and Novel Coronavirus” guidance was issued by OCR regarding permitted uses and disclosures of protected health information during an outbreak of infectious disease or emergency. That guidance included a reminder to HIPAA-covered entities and business associates that the protections of the HIPAA Privacy Rule still remain in place. 

The guidance indicates that HIPAA does permit certain disclosures to some health authorities to prevent or control the spread of disease. However, that exception is subject to the “minimum necessary” rule under the HIPAA Privacy Rule. Certain situations that pose a serious and imminent threat to the health or safety of a patient or others may permit the disclosure of patient-specific information or information on visitors to prevent or lessen the threat, consistent with other applicable law as well as the provider’s standards of ethical conduct.

Can information be shared if a patient or resident was exposed to someone with COVID-19?

The HIPAA Privacy Rule recognizes the need for covered entities (facilities), and others responsible for ensuring public health and safety, to have access to protected health information that is necessary to carry out their public health mission. One of the exceptions under the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization, with anyone, as necessary to prevent a serious and imminent threat to the health and safety of a person or the public, if other law permits this. Per Wis. Stat. § 146.816(2)(b)4, a covered entity is permitted to disclose information about a patient or visitor in a good faith effort to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. The disclosure should include only minimum necessary information needed to prevent or lessen a serious and imminent threat to health and safety.  

In addition, HIPAA permits a health care provider to make disclosures to family, friends, and others involved in the patient’s care. When disclosing information to family, friends, and other individuals involved in the care of a patient, check with the patient or use good professional judgment to infer what is in the patient’s best interest and limit disclosures to information related to that person’s involvement in the patient’s care. This includes sharing limited health information, such as whether a patient has COVID-19, to certain friends, family members, and other individuals involved in the care of that patient. 

For additional information, please refer to the guidance.

Can local health departments provide a listing of residents who were identified with COVID-19 positive test results to law enforcement?

HIPAA lists several permitted disclosures to law enforcement, but does not include a specific exception for this scenario, 45 CFR §164.512(f). However, if under the particular facts of the situation, giving law enforcement that information would reasonably help them prevent or lessen a serious and imminent threat to the health or safety of an individual or the public, such a disclosure may be consistent with applicable law, 45 CFR § 164.512(j)(1) and Wis. Stat. § 146.82. Both federal and state law limits disclosure to minimum necessary information.

On March 24, 2020, U.S. Department of Health and Human Services, Office for Civil Rights (OCR), issued guidance, “COVID-19: Disclosures to law enforcement, paramedics, other first responders and public health authorities,” clarifying when a covered entity can provide the name or other identifying information of an individual who has been diagnosed or exposed to COVID-19, with law enforcement, paramedics, other first responders without an individual’s authorization. 

The guidance provides an example, where first responders may be at risk of infection, HIPAA permits a covered county health department, in accordance with state law (Wis. Stat. §§ 146.82 and 252.03(02), to disclose PHI to a police officer or other person who may come in contact with a person who tested positive for COVID-19, for the purposes of preventing or controlling the spread of COVID-19 (45 CFR 164.512(b)(1)(iv).   

In addition, the guidance indicates, “that a covered entity, such as a hospital, may provide a list of names and addresses of all individuals it knows to have tested positive or received treatment for COVID-19 to an EMS dispatch for use on a per-call-basis. The EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so they can take extra precautions or use personal protective equipment (PPE).” Under this example, the covered entity should not post the contents of the list publicly, such as a website. In addition, the covered entity should not distribute compiled lists of individuals to EMS personnel, instead should disclose only an individual’s information on a per-call-basis.

See additional information regarding law enforcement and HIPAA (HIPAA Privacy Rule: A Guide for Law Enforcement). Has the Substance Abuse Mental Health Services Administration (SAMHSA) issued any guidance regarding uses and disclosures of substance abuse and mental health (part 2) information during the COVID-19 emergency?

Yes. SAMHSA recently issued recommendations for Part 2 programs seeking guidance on clinical containment during the COVID-19 emergency. SAMHSA has not waived any requirements related to sharing Part 2 information. Absent certain limited exceptions, 42 CFR Part 2 requires written patient consent to disclose Part 2 information for treatment, payment, or health care operation purposes. The regulations set forth the consent requirements under Part 2 regulations, and mandate that the consent be in writing, whether paper or electronic. Electronic signatures are permitted under Part 2 to the extent not prohibited by applicable state law. Wisconsin permits electronic signatures.

Please note that there is an exception to the written patient consent requirement for medical emergencies. That exception provides that Part 2 patient information may be disclosed to medical personnel to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained. There are specific requirements related to this exception, which require the Part 2 program to document in writing, the disclosure in the patient’s medical record, including:

  • The name of the medical personnel to whom disclosure was made and their affiliation with any health care facility.
  • The name of the individual making the disclosure.
  • The date and time of the disclosure.
  • The nature of the emergency (or error, if the report was to FDA pursuant to 2.31(b).

For additional information, refer to SAMHSA’s guidance.

If an employee is diagnosed with COVID-19, can an employer share the identity of that employee with other employees so they can take steps to protect themselves and appropriate measures to prevent further spread?

According to CDC guidance, if an employee is confirmed to have COVID-19 infection, employers should inform fellow employees of their possible exposure to COVID-19 in the workplace, but maintain confidentiality as required by the Americans with Disabilities Act (ADA). The fellow employees should then self-monitor for symptoms (fever, cough, or shortness of breath).

For additional information, refer to CDC Guidance. Check back as this guidance is being updated on a regular basis.

Last Revised: November 18, 2020