HIPAA Waivers

Q: Has HHS waived any HIPAA requirements during this COVID-19 pandemic?

A: In response to President Trump’s declaration of a nationwide emergency concerning COVID-19 and HHS Secretary Azar’s declaration of a public health emergency, Secretary Azar issued a limited waiver effective March 15, 2020, waiving sanctions and penalties against a covered hospital that does not comply with specific portions of the HIPAA Privacy Rule.

Q: Has the Office of Civil Rights (OCR), which regulates HIPAA compliance, offered any relief for providers that are serving patients remotely through telehealth services to lessen or prevent the spread of COVID-19?

A: Effective March 17, 2020, OCR issued a Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. OCR states that it will not impose penalties for noncompliance with HIPAA’s Rules against health care providers in connection with their good faith use of telehealth during the COVID-19 nationwide public health emergency.

On March 20, 2020, OCR issued guidance on telehealth remote communications following its notification of enforcement discretion.

Q: Has the OCR offered any relief to support disclosures to or for public health and health oversight?

A: On April 2, 2020, OCR issued a Notification of Enforcement Discretion with respect to business associates’ good faith use and disclosure of PHI for public health and health oversight activities during the COVID-19 nationwide public health emergency. Unless the use or disclosure is required by law, HIPAA mandates that all business associates’ public health and health oversight uses and disclosures of PHI only occur upon the covered entity’s express authorization. HIPAA requires that this express authorization be included as a term within the Business Associate Agreement (BAA).

In its notification, OCR states that it will not impose penalties for failure to include this authority in a BAA where:

• The business associate’s use or disclosure for public health or public health oversight purposes is in good faith; and,
• The business associate reports the use or disclosure to the covered entity within 10 calendar days of the use or disclosure.

Q: Has the OCR offered any relief to support operation of COVID-19 Community-Based Testing Sites?

A: On April 9, 2020 OCR issued a Notification of Enforcement Discretion with respect to the good faith operation of a COVID-19 Community-Based Testing Site (CBTS). This Notification is effective retroactive to March 13, 2020. A CBTS supports collection of individuals’ specimens for COVID-19 testing.

OCR encourages CBTS to utilize reasonable safeguards which include:

• Follow HIPAA’s minimum necessary rule when using and disclosing PHI, except for treatment.
• Provide some privacy to individuals during the specimen collection such as a canopy or other opaque barrier.
• Space traffic at the point of service so that interactions are not seen or overheard. Requiring six feet between individuals would simultaneously reduce risk of disease transmission.
• Establish a “buffer zone” around the CBTS to prevent the public and the media from observing or filming individuals. Post signs prohibiting filming.
• Use secure technology to record and transmit electronic PHI.
• Post a Notice of Privacy Practices or instructions for online access in a location visible to individuals approaching the CBTS.

Review the Notification for a list of exclusions. For example, the Notification applies only to a covered health care provider’s CBTS functions; it does not apply to health plan or clearinghouse functions, nor to non-CBTS activities.

Q: Is the HIPAA Security Rule suspended during a national or public health emergency?

A: No. Within the limited waiver, HHS makes clear that compliance with the HIPAA Security Rule’s administrative, physical and technical safeguards are still required to protect patient information against intentional or unintentional impermissible uses and disclosures. However, the Secretary of HHS has authority to waive sanctions and penalties when the President declares an emergency or disaster and the HHS Secretary declares a public health emergency. Further, OCR evaluates complaints on a case by case basis and exercises its discretion when it takes enforcement action.

42 CFR Part 2 during a Pandemic

Q: Has the Substance Abuse and Mental Health Services Administration (SAMHSA) waived compliance with 42 CFR Part 2 (Part 2) for substance use disorder (SUD) treatment providers during the COVID-19 pandemic? What is required?

A: No, Part 2 remains in place for SUD treatment providers who are required to protect client confidential information. Because of the COVID-19 pandemic, many SUD providers are utilizing telehealth services to ensure that their patients still have access to care.

The Center for Excellence for Protected Health Information provides guidance on SUD providers’ use of telehealth services. Part 2 requires reasonable safeguards, such as avoiding public Wi-Fi, password protection of devices, and keeping confidential files secure. See 42 CFR § 2.16.

The Center’s guidance states that providers can use private facing apps such as Zoom, FaceTime, or Skype. See also FAQ. Where a telehealth service will have access to patient information, a provider must obtain patient consent to disclose their information to the telehealth service. Consent may be obtained electronically, as long as state law allows.  Additionally, a SUD treatment provider must include a notice prohibiting re-disclosure when sharing identifying information with payers or other non-medical third parties. See 42 CFR § 2.31.

Further, Part 2 allows SUD treatment providers to share patient information for treatment purposes during a medical emergency without a signed patient consent form. Providers must make their own determination that a medical emergency exists. Disclosures made under the medical emergency exception must be documented in the patient’s records. 42 CFR § 2.51 and SAMHSA Guidance.

The Center for Excellence for Protected Health Information recommends that providers document how consent was obtained within the patient’s chart as well as how services were provided, such as in-person or by a telehealth service. See 42 CFR § 2.13. The Center further recommends that providers develop agency-wide protocols for obtaining patient consent virtually. Agencies should provide training on these new protocols as well as documentation standards.

Finally, the center recommends that a SUD provider counsel their clients on taking steps to safeguard their health information, such as avoiding public Wi-Fi and using passwords on their devices.

Applicability of HIPAA to Public Health

Q: Does HIPAA apply to public health departments?

A: HIPAA applies only to “covered entities” and their business associates.  Covered entities are:

• Health Plans (includes Blue Cross, commercial insurers, group health plans, HMOs, Medicaid, Medicare)
• Health care providers that engage in standard electronic transactions with regard to payment
• Health Care Clearinghouses (companies that translate and reformat electronic transactions)

A health department’s clinic that provides health services to individuals and bills health plans electronically for those services is covered by HIPAA. Even if a health department offers health services, such as vaccinations or sexually transmitted disease screening, in furtherance of health goals, it may be covered by HIPAA. These health services are HIPAA covered if the clinic bills electronically or utilizes any of the standard transactions in the administrative or financial aspects of health care delivery. If a health department operates a health plan, such as Medicaid or the Children’s Health Insurance Program, those relevant components are covered by HIPAA. 

Whether HIPAA applies to a health department’s communicable disease program depends on the organization of the health department and whether it has declared itself a “hybrid entity”, designating covered components and non-covered components.  If the communicable disease program is within the covered component of a hybrid entity or within a fully covered health department, then HIPAA applies to the communicable disease program. Thus, the advantage of the hybrid designation is that HIPAA’s stringent disclosure requirements do not apply to core public health functions. For more information about HIPAA coverage assessments of health department and the hybrid entity policy option, read more.

Regardless of HIPAA, health departments must also comply with state laws regarding confidentiality of information.  State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections.

Q: How do I know if my health department is a hybrid entity?

A: A health department is a hybrid entity if it has designated its covered components in compliance with HIPAA. Absent this designation, the HIPAA Privacy Rule requirements apply to the entire legal entity. 45 CFR §§ 164.103 and 164.105(a) and (c). If a health department is a hybrid entity, the HIPAA Privacy Rule requirements apply only to the department’s covered components.

To become a hybrid entity, the HIPAA Privacy Rule requires identification of covered components—i.e., components that would meet the definition of a covered entity or business associate if they were separate legal entities. 45 CFR § 164.105(a)(2)(iii).

This designation must be in writing or recorded electronically. Electronic recordation, i.e., saving a copy of the policy in Word or other word processing program, provides for ease of revision and is generally preferred. Typically, this designation takes the form of a hybrid entity policy. See the Network’s Hybrid Entity FAQs for more information.

Accordingly, review your HIPAA policies to see whether there is a hybrid entity policy and which programs are listed as HIPAA covered. Presumably, any programs not listed as covered components within the hybrid entity policy were previously determined by your health department as not covered by HIPAA.

HIPAA Basics

Q: Does HIPAA allow providers to report health information to a health department’s communicable disease program without patient authorization?

A: Yes. HIPAA privacy regulations permit “covered entities” (such as hospitals, clinical laboratories, nursing homes, and physicians) to provide protected health information (PHI) to “public health authorities” such as state and local health departments for certain purposes:

• “A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. . .”
• “A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.” 45 CFR § 164.512(b). Read more.

Q: When a health department’s clinic or other HIPAA covered program wants to share PHI in an emergency situation, is patient authorization always required?

A: No. HIPAA allows a covered entity to share PHI without authorization for public health activities, as described above; for treatment; to family, friends, and others involved in the individual’s care and for notification; and, to prevent or lessen a serious or imminent threat. Each of these disclosures’ prerequisites, conditions and limitations are described within the limited waiver. For additional information, please see this OCR FAQ regarding information sharing in a severe disaster.

Q: If a health department is providing routine and recurring disclosures of COVID-19 PHI, may it create a policy to address the disclosures or must it document the rationale on a case-by-case basis?

A: A health department may develop a policy to govern routine and recurring disclosures. For example, a specific policy might be beneficial where a health department releases COVID-19 PHI on a daily basis to an EMS dispatch. In this model, the EMS dispatch will use the information to advise EMS responders to use personal protective equipment or take extra precautions. Here, the health department is sharing PHI for the purposes of preventing or controlling the spread of COVID-19. Applicable other law, such as state and tribal law, must also authorize this disclosure. 45 CFR § 164.512(b)(1)(iv).

The health department should develop written protocols as part of its policies and procedures to address the type and amount of information that may be disclosed for each purpose. See OCR FAQ. Ideally, each policy will provide a citation to the pertinent federal, state, and tribal law that authorizes or requires the disclosure. In the example above, health department policy should cite to HIPAA, if applicable, and other state or tribal law. The Public Health COVID-19 Frequently Utilized HIPAA Privacy Rule Provisions might be useful in policy development.  

Disclosures that do not fall within a health department’s policy will need to be addressed on a case-by-case basis.

Q: How do health departments determine what COVID-19 PHI meets the “minimum necessary” test for disclosure?

A: Generally, aside from disclosures for treatment purposes and disclosures required by law, HIPAA covered health departments must make reasonable efforts to only disclose the minimum necessary PHI to accomplish the purpose of the disclosure. 45 CFR § 164.502(b). Consequently, the following common COVID-19 disclosures all require a minimum necessary analysis:

• To persons at risk of infection, such as first responders
• To prevent or lessen a serious and imminent threat to the health and safety of a person or the public, such as to child welfare workers, mental health crisis services personnel, fire department personnel or others charged with protecting the health or safety of the public.
• To close contacts, such as a spouse, family members, friends, or other persons identified by a patient. Even when the patient is not present or is otherwise incapacitated, a covered entity may share this information if it determines that doing so would be in the patient’s best interest. See Public Health COVID-19 Frequently Utilized HIPAA Privacy Rule Provisions.

HIPAA offers covered entities flexibility in assessing what is needed to address their unique circumstances based upon the characteristics of their business and workforce. OCR describes minimum necessary as a “reasonableness standard” and points to best practices and guidelines already in use. This standard is intended to be reflective of professional judgment and existing standards. HIPAA covered entities are encouraged to include the input of their prudent professionals when making minimum necessary determinations and not to inappropriately limit PHI that sacrifices health care quality. See OCR FAQ.

For example, a HIPAA covered hospital might determine that a list of names and addresses of all individuals known to have tested positive or received treatment for COVID-19 is the minimum necessary PHI to share with an EMS dispatch. The hospital’s decision to share this PHI to persons at risk of infection meets HIPAA’s reasonableness standard. See OCR Guidance.

As a health department evaluates disclosure decisions, it should include professionals who understand the purpose of the disclosure and minimum necessary PHI needed to accomplish it. This decision might be memorialized in policy so that it is easily referenced for common disclosures or documented in writing on a case-by-case basis.

Privacy Rights

Q: What specific privacy protections (i.e., which laws) apply to individuals’ information when they are in quarantine or isolation?

A: The Constitution does not expressly afford a right to information privacy. In 1977, the United States Supreme Court held that the Constitution provides a limited right to information privacy. The Court upheld the New York State Department of Health’s collection of personal information pertaining to individuals who have obtained certain prescription medication for which there is also an unlawful market. See Whalen v. Roe. Interpreting this decision in United States v. Westinghouse Electric Corporation, the Third Circuit identified factors relevant to evaluating whether the government’s interest in collecting personal health information outweighs individual privacy interests, including:

• Type of record requested. Examples of types of records include medical records and tax records;
• Information the record does or might contain. Examples of information include intimate facts of a personal nature, such as past medical history, present illness or the fact of treatment;
• Potential for harm due to re-disclosure;
• Injury to the relationship through which the record was generated;
• Adequacy of the requesting agency’s safeguards to prevent unauthorized disclosure;
• Government interest in accessing the information; and,
• Whether there is an express statutory mandate, articulated public policy, or other recognizable public interest militating toward access.

United States v. Westinghouse Elec. Corp., 638 F.2d 570, 578 (3d Cir. 1980).

Individuals’ privacy interests are further protected by a patchwork quilt of federal and state statutes that safeguard health information.

Congress passed the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 (HIPAA), which regulates some health department programs, such as clinics that bill health plans electronically. HIPAA also regulates health plans offered by health departments, such as Medicaid. 45 CFR § 164.103. The federal Health and Human Services’ (HHS) Office for Civil Rights (OCR), which enforces HIPAA, has issued several Notifications of Enforcement Discretion indicating they will not impose penalties for specified HIPAA violations during the COVID-19 nationwide public health emergency. Further, HHS issued a limited waiver waiving sanctions and penalties against covered hospitals that do not comply with specific portions of the HIPAA Privacy Rule. For more information regarding the limited waiver and Notifications of Enforcement Discretion, please see these FAQs.

States also enact laws to protect information privacy. Several states have comprehensive privacy laws that regulate all personal information. All states have Freedom of Information Laws with varying requirements and exceptions. All states have laws regarding the collection, use, and disclosure of health information which result in varying protections across the country.

Counterbalancing individual privacy interests, states’ police powers include protecting the health, safety and welfare of individuals within their borders. In times of disaster or emergency, state law may provide the governor and state or local health officers with broad legal authority to take reasonable measures to prevent and control COVID-19. See Legal Emergency Preparedness Resources. To determine whether a governor or health officer has suspended a specific state privacy statute or rule, visit the state’s website.

Nevertheless, individuals in isolation and quarantine generally have the same privacy protections as others, except to the extent that HHS, OCR, a governor, or a health officer has waived or suspended a privacy law or its enforcement.

However, some state quarantine laws may require the health officer or attending physician to place a quarantine placard at the infectious individual’s location under certain circumstances. See, e.g., Vermont Law and Ohio Law. Quarantine placards identify individuals or cohabitants as positive for a particular disease. Individuals who live in states that require quarantine placarding effectively have diminished privacy rights as compared to individuals who live in states without this requirement.

It is not clear whether HIPAA preempts state law requiring the posting of a quarantine placard. HIPAA provides a nationwide floor for health information privacy protections. Where state law is contrary to HIPAA, it is generally preempted and HIPAA must be followed. 45 CFR. §160.203. However, HIPAA provides several exceptions to this general rule including when state law is established “for the conduct of public health surveillance, investigation, or intervention.” 45 CFR § 160.203(c). Some states have developed publicly available preemption analyses that reflect which state laws are preempted by HIPAA. These preemption analyses are useful to public health attorneys and practitioners who seek to understand if a specific state law remains in effect or has been preempted by HIPAA. Additionally, a preemption analysis may also function as a de facto database of all state health related laws. See West Virginia’s 2019 Preemption Analysis. If there is a question as to whether a specific state statute is preempted by HIPAA, you might also consult with the Attorney General’s Office.

Q: What information may be shared by a HIPAA covered public health agency with a COVID-19 patient’s personal representatives?

A: HIPAA gives patients a legally enforceable right to access and copy their health records. 45 CFR § 164.524(a). This access right extends to the PHI that a covered entity maintains within its designated record set. 45 CFR § 164.501. This right also allows the individual to direct the covered entity to transmit a copy to a designated individual or entity. 45 CFR § 164.524(c)(3).

HIPAA requires that a personal representative be provided with all of the rights of the individual including access rights. A personal representative is someone authorized to act on behalf of an individual who is unable to exercise her rights under HIPAA. 45 CFR § 164.502(g). HIPAA looks to applicable law regarding who is authorized to act on behalf of the individual in making health care related decisions, such as the person named in a medical power of attorney instrument.

Accordingly, for health departments’ treatment services, such as HIPAA-covered clinics, individuals and their personal representatives are entitled to access and copy the individual’s entire medical and billing records. If COVID-19 PHI is maintained within those records, the individual and her personal representative are entitled to access and copy the records, including the COVID-19 PHI.

Fully HIPAA-covered health departments must extend HIPAA rights, including the right of access, to all individuals and their personal representatives with respect to the PHI within the designated record set. Consider the scenario where a patient’s personal representative requests access to COVID-19 PHI held by the disease prevention and control program. The health department must determine whether the COVID-19 PHI is used to make decisions about the individual or only about the population. If the health department’s disease prevention and control program uses the PHI to make decisions about the individual, the individual and her personal representative have a right of access to the COVID-19 records.

For health departments that have become hybrid entities under HIPAA and have restricted HIPAA to those functions where only legally required, such as the clinic, the disease prevention and control program will generally not be covered by HIPAA. In this situation, an individual’s right to access does not extend to information held by the non-covered programs within the health department.

Disclosures to the Media

Q: May health departments release COVID-19 county level case information (number of COVID-19 cases by county) to the press?

A: Generally, the vast majority of state health departments’ disease prevention and control programs are not HIPAA covered. This is to say that most state health departments have chosen the hybrid option under HIPAA and likely have identified their disease prevention and control programs as core public health functions that are not subject to HIPAA. See the discussion above regarding health departments limiting HIPAA’s coverage by becoming a hybrid entity.

However, generally all health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Further, health department policy also governs health departments’ disclosures of information to the media regarding COVID-19 and other communicable disease. Relevant law and policy should be consulted.

The Association of State and Territorial Health Officials, the National Association of County & City Health Officials, and the Association of Health Care Journalists developed guidance regarding the release of information concerning deaths, epidemics or emerging diseases. This guidance may assist health departments in determining such questions as whether to include a patient name with a school or whether more general information is appropriate.

This press release reflects how one jurisdiction balances the public’s right to know against an individual’s right to privacy and confidentiality.

For health departments that are fully covered by HIPAA, please see the FAQ below.

Q: May a county health department that is not covered by HIPAA release to the media the names of long-term care facilities that have at least one COVID-19 positive case and the number of infected residents and workers?   

A: As the numbers of COVID-19 positive individuals and deaths rise, the media continues to request more information and more detail about infected individuals. Media accounts reflect that some health departments are releasing more granular information than others.

Some public health experts believe that it is important to release very detailed COVID-19 information so that residents can see where the virus has spread and consider taking more protective measures. For example, some health departments report when an employer’s location or a nursing home has an outbreak.

Other health departments do not provide granular COVID-19 case data, instead reporting cases and deaths at a county level. These health departments may be concerned that the release of community clusters might cause neighborhood-based stigma or discrimination. Other health departments are concerned that releasing city level data might allow individuals to be identified. Still others believe that specific geographic information is of limited value where there is already community spread. See The New York Times’ How much Should the Public Know about Who Has the Coronavirus? 

To protect the public’s health and maintain public trust, public health must share as much information as possible with the media and the public. The specifics differ among jurisdictions based on applicable laws, priorities, culture, community members’ lived experience, and COVID-19 spread.

If the county health department is not covered by HIPAA, disclosure is regulated by state law. During the H1N1 pandemic of 2009, there was significant variation in the information public health officials shared with the media and the public. The media’s emphasis on its struggle to obtain detailed health information diverted attention from public health messaging and hurt public trust. In response, the Association of State and Territorial Health Officials, the National Association of County and City Health Officials and the Association of Health Care Journalists developed Guidance on the release of information concerning deaths, epidemics or emerging diseases.

This Guidance is relevant today when considering how to keep the media and the public informed. It recommends that public health share as much information as possible, as allowed by law. When information cannot be shared, the reasoning should be shared, particularly when it is based in law. The process of sharing as much information as possible will build trust and credibility, encouraging people to more willingly accept public health recommendations. The Guidance offers a framework that balances the public’s need for transparency with individuals’ need for privacy.

An important component of transparency is explaining public health’s role, identifying risks, and keeping the public updated on the current status of COVID-19 spread within the community. If there is a gap in reporting, rumor and mistrust may creep in.

Of course, there are many examples of scenarios where public health is unable to release certain information to the media and the public. State law may prohibit the disclosure to protect individual privacy. A public health official may need to brief leadership prior to releasing the information.

As privacy is first a matter of law in the public health setting, it may be helpful to utilize the Network’s paradigm: Can I? Must I? Should I?

With respect to “Can I?” a health department should first evaluate whether applicable law allows the data release. State law might prohibit local boards of health from disclosing identifiable COVID-19 health information without the individual’s written consent. An example is Massachusetts law which states:

All confidential personally identifying information, whether kept in an electronic system or paper format, including but not limited to, reports of disease, records of interviews, written or electronic reports, statements, notes, and memoranda, about any individual that is reported to or collected by the Department or local boards of health pursuant to 105 CMR 300.000, shall be protected by persons with knowledge of this information. Except when necessary for the Commonwealth’s or local jurisdiction’s disease investigation, control, treatment and prevention purposes, or for studies and research authorized by the commissioner pursuant to M.G.L. c. 111, § 24A, the Department and local boards of health shall not disclose any personally identifying information without the individual’s written consent. Only those Department and local board of health employees who have a specific need to review personal data records for lawful purposes of the Department or local board of health shall be entitled access to such records. The Department and local boards of health shall ensure that all paper records and electronic data systems relating to information that is reported to or collected by the Department or local boards of health pursuant to 105 CMR 300.000 are kept secure and, to the greatest extent practical, kept in controlled access areas.105 CMR 300.120(A).

Although the law generally prohibits disclosure of identifiable information, it provides an exception where the disclosure is necessary for disease investigation, control, treatment and prevention purposes.

To answer “Can I?,” you need to evaluate whether disclosure of long-term care facilities that have at least one COVID-19 positive case and the number of infected residents and workers will identify individuals. If you determine that releasing the information is likely to allow re-identification of individuals, you might next evaluate whether the disclosure is necessary for COVID-19 control and prevention, if this is a permissible reason for disclosing identifiable information.

With respect to “Must I?” the response is usually no, because the health officer has significant discretion in determining how to protect the public and prevent and control the spread of disease.

With respect to “Should I?” the Guidance described above may help public health officials determine which data features should be released. The Guidance recommends sharing as much information as possible from each of the following categories: age, gender, residence, underlying condition, time and place of death. Attention should be paid to the level of granularity so that individuals may not be re-identified. The Guidance recommends that prioritizing specificity in one category may be balanced by releasing less granular information in other categories.

In early April 2020, the Minnesota Department of Health (DOH) experienced pressure from the media and the public to release information about whether any senior living facilities were experiencing COVID-19 outbreaks. See Star Tribune’s Minnesota health officials continue to conceal names of senior care facilities with coronavirus. As of April 7, 2020, the Minnesota DOH began sharing a county-by-county list of congregate care facilities with outbreaks, if the facility has 10 or more residents.

The DOH is also sharing statewide information regarding total number of completed tests; total number of positive cases; total cases no longer needing isolation; total deaths; total cases requiring hospitalization, including within the ICU and non-ICU; age ranges by total cases, non-hospitalized cases, hospitalized cases, hospitalized cases in ICU and deaths; gender, race and ethnicity; source of likely exposure; and, residence type for positive case, including private residence, long-term care facility, long-term acute living, assisted living, homeless shelter, jail/prison, college dorm, other and unknown/missing.  The DOH shares more limited information at the county level: total cases and total deaths. Minnesota states “We will not release specific locations for any patients being tested in order to protect patient privacy.” Thus, Minnesota strikes a balance between individual privacy and the public’s need for information by releasing more granular location data (county and name of congregate care facility), but disclosing other data aggregated at the state level.

In determining an appropriate balance, a health officer might consider the following benefits to transparency:

• Maintaining openness to preserve the public’s trust;
• Preventing and controlling the spread of COVID-19; and,
• Allay unfounded fears so that the public follows public health’s recommendations.

These public benefits must be weighed against potential harm to individual privacy:

• Re-identification of individuals;
• Stigma to a community or neighborhood; and
• Discrimination against a community or neighborhood.

A health department should document its analysis, including alternatives considered, and its decision. See, Executive Decision Making and Liability for Public Health Officials.

Q: Fully HIPAA covered only. May a fully HIPAA covered health department issue a press release to the media or the public at large about a COVID-19 case which includes patient identifiable information such as the COVID-19 test, test results or details of the illness?

A: When a health department’s communicable disease program is covered by HIPAA (see earlier discussion), it may not release identifiable information about a patient or the treatment to the media without a signed patient authorization. This guidance aligns with information provided in HHS’ limited waiver. See the FAQ immediately below for additional options for disclosing information to the media.

Further, all health departments must also comply with state law, other federal law, and health department policy regarding confidentiality of information as discussed immediately above. 

Q: Fully HIPAA covered only. May a fully HIPAA covered health department release COVID-19 county level case information (number of COVID-19 cases by county) to the press?

A: A fully HIPAA covered health department may not disclose the number of positive COVID-19 cases by county because this constitutes PHI. HIPAA requires that this disclosure only occur with patient authorization or if the information has been de-identified.  

HIPAA offers two methods of de-identification. The first, known as the Safe Harbor method, is commonly utilized in public health. 45 CFR § 164.514(b)(2). The Safe Harbor method requires removal of any unique identifying numbers, characteristics or codes. For example, the following identifiers must be removed before the information is considered de-identified and may be released: patient name; geographic subdivision smaller than a state, such as county; and any date, except year, such as an approximate date of an individual’s COVID-19 test result. For more information, please see the Network’s De-identification Toolkit.

The second means of de-identifying information is known as the expert method. A fully HIPAA covered health department might utilize a HIPAA expert to evaluate the degree of risk the information proposed to be disclosed, alone or in combination with other reasonably available information, could be used to identify an individual. If the expert concludes that the risk of re-identification is “very small”, the health department may disclose accordingly. The HIPAA expert must document the results. A HIPAA expert is a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable. 45 CFR § 164.514(b)(1). For more information, please refer to the Network for Public Health Law’s quick reference.

Q: Are there alternative ways to support a fully HIPAA covered health department’s decision to release COVID-19 county level case information (number of COVID-19 cases by county) to the press?

A: If a fully HIPAA covered health department cannot take advantage of the two de-identification methods to share the number of positive COVID-19 cases per day, but believes that the information is essential for the people who live in its jurisdiction, it should consider alternatives that would avoid adverse health consequences.

For example, fully HIPAA covered health departments might consider HIPAA’s exception to its general rule of state preemption, which preempts any contrary provision of state law. 45 CFR § 160.203.

Where HIPAA and state law conflict, HIPAA generally preempts state law. But under certain circumstances, HIPAA preemption does not apply where state law provides “for the conduct of public health surveillance, investigation, or intervention.” 45 CFR § 160.203(c). In particular, HIPAA would not control how state and local health departments implement state laws to monitor COVID-19.

Accordingly, the argument is that HIPAA does not limit a health department’s disclosure of information as it conducts COVID-19 related surveillance, investigation, and intervention pursuant to State law. This approach is a novel and emerging legal theory to address the COVID-19 pandemic. Please note that to date, we have identified no OCR guidance to this effect. This emergency situation could not have been anticipated and time is of the essence.

Q: Fully HIPAA covered only. May a fully HIPAA covered health department release COVID-19 county level case information (number of COVID-19 cases by county) to the press to avert a serious threat to public health or safety?

A: HIPAA permits HIPAA covered entities to disclose PHI where the covered entity has a good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Disclosure of a COVID-19 case at the county level is protected PHI. Disclosures to avert a serious threat to health must be consistent with all applicable law, such as state law, and conform to ethical standards. The disclosure must also occur to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. 45 CFR § 164.512(j). Please see the Network for Public Health Law’s discussion of considerations in applying this HIPAA exception to a proposed disclosure of HIPAA protected information to the media.

Q: Does HIPAA require a health department to obtain patient authorization before it allows the media or a film crew on-site?

A: Yes. HIPAA requires covered health departments to obtain patient authorization before it allows the media and film crews into any area where PHI is accessible in any form – written, electronic, oral, other visual, or audio. The media’s blurring of a patient’s face or altering a patient’s voice does not alone meet HIPAA’s privacy requirements. Express, written authorization from every patient in the area is required prior to the media’s entry into the area. Covered entities must also use reasonable safeguards to prevent unauthorized disclosure of PHI, such as computer monitor privacy screens and opaque barriers to block the film crew’s view of patients who did not sign an authorization. See OCR Guidance.

Disclosures to First Responders

Q: How may health departments share patient specific COVID-19 information with first responders that both provides needed information and respects individual privacy?

A: With respect to fully HIPAA covered health departments, OCR released guidance on 3.25.20 detailing legally permissible disclosures to law enforcement, paramedics, and other first responders:

• When the disclosure is needed to provide treatment, such as when emergency medical transport personnel will need to provide treatment to an individual with COVID-19 while transporting that person to a hospital.
• When the disclosure is necessary because first responders may be at risk of infection, as authorized by state law. An example is where a county health department, in accordance with state law, discloses identifiable COVID-19 information to a police officer or others to prevent or control the spread of COVID-19.
• When the disclosure is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. For example, a health department may share PHI about individuals who have tested positive for COVID-19 to first responders if the health department believes in good faith that it is necessary to prevent or minimize the threat of imminent exposure in discharging their duties. OCR’s recent guidance states that health care professionals must follow professional ethical standards and state law in making good faith determinations.

OCR offers a best practice for health departments sharing information with first responders when they are at risk of infection. This approach balances individual privacy with protecting the health and safety of first responders from infectious disease. If authorized by other law, such as state law, OCR indicates that a covered entity, such as a fully covered health department, could provide a list of names and addresses of all individuals who have tested positive or received treatment for COVID-19 to an EMS dispatch. On a per call basis, EMS dispatch would use the information on the list to inform the EMS personnel who are responding to the particular call so that they can use personal protective equipment or take extra precautions.

OCR’s guidance provides limitations, conditions and prerequisite for each of these disclosures, as well as legal citations.

Further, generally all health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Relevant law and policy should be consulted.

Q: Can (or must) an emergency responder be notified if they have assisted with transporting an individual who tests positive for COVID-19?

A: As of March 27, 2020, the CDC National Institute for Occupational Safety and Health (NIOSH) has added COVID-19 to its list of potentially life-threatening diseases to which emergency response employees (EREs) may be exposed in the course of their work. Pursuant to an amendment to the Public Health Service Act codified at 42 U.S.C. § 300ff–131-140, medical facilities must notify an ERE in accordance with NIOSH guidelines if a patient the ERE treated or transported has a listed disease.

Accordingly, if a medical facility determines that an emergency victim has COVID-19, it must promptly (within 48 hours of the determination) notify the designated officer of the ERE agency that transported the victim. In turn, the designated officer must inform the exposed EREs. In addition, as permitted with regard to all listed diseases, an ERE (through the designated officer) may request that a medical facility determine whether the ERE was potentially exposed to COVID-19 while treating or transporting an emergency victim. The medical facility must respond within 48 hours after receiving the request.

A notification to the designated officer under either process must include the name of the infectious disease involved and the date on which the emergency victim was transported. As long as the disclosure is limited to these required elements, the disclosure is permitted by the HIPAA Privacy Rule because it is required by law. 45 CFR § 512(a). Note that the notification requirement does not authorize or require a medical facility to test an emergency victim for a listed disease, nor does it authorize or require the facility, designated officer, or ERE to disclose identifying information about the emergency victim or ERE.

A covered emergency response employee is not defined by the statute or NIOSH guidelines, but in publishing its final guidelines in 2011, NIOSH indicated that “the duties of an individual considered an ERE are described in 42 U.S.C. § 300ff–133(a):

“[i]f an emergency response employee believes that the employee may have been exposed to an infectious disease by a victim of an emergency who was transported to a medical facility as a result of the emergency and if the employee attended, treated, assisted, or transported the victim pursuant to the emergency, then the designated officer of the employee shall, upon the request of the employee, carry out the duties described in subsection (b) regarding a determination of whether the employee may have been exposed to an infectious disease by the victim.”

The term “medical facility” is also undefined, but appears to encompass any facility that treats or ascertains the cause of death of an individual who was transported by EREs. See 42 U.S.C. § 300ff–132, 133, 137.

Keep in mind that in states with laws “substantially consistent” with this federal law, the state law may apply instead.

For more information, review the CDC’s webpage discussing this law.  

Q: May a health department provide the names and residential addresses/locations of all positive COVID-19 cases to all first responders to protect their health?

At this time, there is no clear answer to the question.

A health department might use the following framework to evaluate how to proceed. Can I? Must I? Should I?

With respect to “Can I?” the question is whether there is legal authority to disclose this information. While it is likely there is legal authority to disclose this information to first responders, as is outlined in the FAQ above, must the health officer warn first responders of the COVID-19 status for all individuals in the community who have tested positive? Usually not, because the health officer has significant discretion in determining how to protect the public and prevent and control the spread of disease.

The health officer might then analyze “Should I?” This decision is based on professional judgment with input from team members with subject matter expertise. The health officer will weigh the competing interests – balancing the individual’s interest in privacy against protecting EMS employees, the health care system, and the general public.

For a robust discussion of these considerations, along with guidance around the decision-making process, please see this resource. The resource is also important for addressing the issues discussed in the FAQs immediately below.

Q: Is it appropriate for public health to request consent from asymptomatic medium risk travelers to provide their name and residential address/location to emergency responders (EMS) in order to protect the health of EMS personnel?

A: At this time, there is no clear answer to the question.

A health department might use the following framework to evaluate how to proceed. Can I? Must I? Should I?

With regard to “Can I?” In other words, does the health officer have the legal authority to disclose this information? Most likely yes, as the disclosure would occur with patient authorization. If HIPAA applies to the health department and the health department obtains a valid signed patient authorization, HIPAA permits disclosure. 45 CFR § 164.508. Whether or not HIPAA applies, states may have their own requirements that apply to disclosure by a local health department identifying an individual who has or is being monitored for potential development of a communicable disease. State law with respect to consent requirements should be evaluated.

With regard to “Must I?” Usually not, while the health officer must protect the public and prevent and control the spread of disease, the health officer has a great deal of discretion in determining how to do this.

With regard to “Should I?” This is where most public health decision-making lies. Most decisions are discretionary, based on professional judgment with input from team members with subject matter expertise, if indicated. Here, a health officer will need to weigh competing interests – balancing the individual’s interest in privacy against protecting EMS employees, the health care system, and the general public. Where public health requests a patient consider consenting to the disclosure of her information and a patient signs the HIPAA patient authorization and possibly a state required consent form, the patient is given the opportunity to make the decision for herself.

For guidance around the decision-making process, please see this resource.

Disclosures to Law Enforcement

Q: Under HIPAA, in the absence of a court-ordered warrant or a subpoena, or summons issued by a judicial officer, what information about a positive COVID-19 case can a public health department share with law enforcement for the purpose in assisting with enforcing social distancing measures?

A: HIPAA provides several options for sharing PHI with law enforcement without patient authorization:

• To the extent that disclosure is required by other law, such as state law. 45 CFR § 164.512 (a).
• To persons at risk of contracting or spreading a disease or condition if the health department is authorized by law to notify such person (e.g., law enforcement) as necessary in the conduct of a public health intervention or investigation. 45 CFR 164.512(b)(1)(iv).
• To prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. 45 CFR 164.512(j). Health departments may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient authorization. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. 45 CFR 164.512(j).

Disclosures to the Military

Q: May a HIPAA covered health department share COVID-19 PHI with the military in the same way that it shares PHI with law enforcement?

A: HIPAA defines law enforcement as, “any government official at any level of government authorized to either investigate or prosecute a violation of the law.” See 45 CFR § 164.103. With few exceptions, military personnel generally do not investigate or prosecute a violation of the law. Therefore, it would not be permissible to disclose PHI to military personnel under the law enforcement exception.

The Civil Military Medicine Division (CMM) of the Department of Defense’s (DoD) Military Health System (MHS) ensures health service support to military missions and during domestic crises that are outside the realm of major combat operations. CMM is a part of the National Disaster Medical System (NDMS), a federally coordinated healthcare system and partnership of the United States DoD, Departments of Health and Human Services, Homeland Security, and Veterans Affairs. The purpose of the NDMS is to support State, Local, Tribal and Territorial authorities following disasters and emergencies by supplementing health and medical systems and response capabilities.

The DoD has designated itself a hybrid entity and specifically defined the MHS to only include DoD health plans and health care providers conducting standard electronic transactions. Because of this, if the military is providing health service support through a covered component, it can be treated the same as any other covered entity and may share PHI for treatment, payment, or health care operations. See 45 CFR § 164.506.

Under certain circumstances, a covered entity may also share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512 (j).

Finally, when applicable, a health department may use HIPAA’s public health exception to share information with military personnel when such information is necessary to carry out its public health mission. See 45 CFR § 164.512 (b).

Q: Can the National Guard personnel have access to epidemiological surveillance data to assist a health department’s epidemiology staff with public health activities?

A: The National Guard is different from other military branches. States are free to employ their National Guard forces under state control as provided in the state’s constitution and statutes, and performed in accordance with state law. National Guard members performing this type of duty are said to be in “State Active Duty status,” meaning that command and control rests solely with the Governor and the state or territorial government.

You will have to consult your state’s constitution and statutes to determine how the National Guard is organized within your state. Because the National Guard may be treated as another state agency, you should consult state statutes and regulations governing interagency relationships. Some state laws allow an agency to embed members of another agency’s workforce as members of their own workforce. This would allow National Guard personnel to act as members of the health department’s workforce and therefore have access to the necessary surveillance data.

If you cannot embed National Guard personnel as members of your agency’s workforce, how PHI may be shared with National Guard personnel could be influenced by your health department’s HIPAA status. A non-covered entity or a non-covered component of a hybrid entity would not have to comply with HIPAA requirements and can rely fully on other federal laws and state authority to share such information. A fully covered entity would generally be restricted from sharing information absent patient consent. But the agency may be able to treat the National Guard as a business associate, a person or entity that performs certain functions or activities involving the use or disclosure of protected health information on behalf of a covered entity. These services may include data analysis, which would require the execution of a business associate agreement.

Finally, HIPAA permits covered entities to disclose PHI where the covered entity has a good faith belief that the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Disclosures to avert a serious threat to health must be consistent with all applicable law, such as state law, and conform to ethical standards. The disclosure must also occur to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. A health department would need to determine if activities of National Guard personnel would meet this standard. See 45 CFR § 164.512(j).

Disclosures in Judicial and Administrative Proceedings

Q: If the health department receives an order from a court or administrative tribunal requesting patient identifiable COVID-19 information, may it share the requested PHI with the court or administrative tribunal?

A: For those health departments that are fully covered by HIPAA, law allows a health department to respond to a court or administrative tribunal’s order, but only to the extent as specified in the order. Only the minimum necessary PHI may be disclosed. 45 CFR § 164.512(e)(1)(i).

All health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Relevant law should be consulted.

Q: If the health department receives a subpoena, discovery request or other lawful process requesting patient identifiable COVID-19 information that is unaccompanied by an order, is disclosure is permissible?

A: If a fully HIPAA covered health department receives a subpoena, discovery request or other lawful process that is unaccompanied by an order, disclosure is permissible if the health department receives “satisfactory assurances” from the party seeking the information that reasonable efforts have been made to put the subject individual on notice of the request or that reasonable efforts have been made by the health department to secure a HIPAA compliant qualified protective order. Only the minimum necessary PHI may be disclosed. 45 CFR § 164.512(e)(1)(i).

As above, all health departments must comply with state law and other federal law regarding confidentiality of information. State confidentiality law may provide for the confidentiality of reports, records, and data pertaining to testing, care, treatment, reporting and research associated with communicable diseases and serious communicable diseases or infections. Relevant law should be consulted.

Disclosures in Response to a Freedom of Information Act Request

Q: If a health department receives a request for personally identifiable COVID-19 information under the applicable state Freedom of Information Act or other open records law, how should it respond?

A: Health departments must comply with both applicable open records law as well as state and federal confidentiality and privacy law as they respond to requests for personally identifiable COVID-19 information. The Reporters Committee for Freedom of the Press provides an Open Government Guide which offers a compendium of each state’s open records laws.

For those health departments that are fully covered by HIPAA, they may only release PHI that is required to be released by applicable state public records law. 45 CFR 164.512(a). For more information, please see OCR guidance.

Re-Disclosures for Treatment

Q: May a health department re-disclose COVID-19 lab test results received from non-state labs, such as commercial labs and pop-up labs, for treatment purposes?

A: HIPAA and likely most state laws do not regulate data use and disclosure based on data ownership. HIPAA regulates a covered health care provider’s PHI use and disclosure according to the purpose of the activity. HIPAA permits covered health departments to disclose, without patient authorization, PHI about the patient as necessary to treat either the patient or a different patient. HIPAA does not prohibit disclosure of PHI for treatment solely because the information was created by another health care provider, such as a laboratory. 45 CFR § 164.506(c).

HIPAA also permits covered health departments to share PHI with other health care providers for purposes of care coordination or management without patient authorization. HIPAA considers care coordination and management part of treatment activities. 45 CFR § 164.501.

Other federal or state laws may restrict a health department’s re-disclosure authority. For example, the federal substance use disorder regulations strictly limit re-disclosure. 42 CFR § 2.32. State law may impose limitations on re-disclosure for both covered and non-covered health departments. Health departments should examine state law to identify any state law limitations.

Some health care providers are reluctant to re-disclose health information that they did not create. This reticence may stem from older policy prohibiting this re-disclosure. Addressing this question from an information management standpoint, the American Health Information Management Association recommends that providers re-disclose PHI “[t]o other healthcare providers when it is necessary to ensure the health and safety of the patient.” AHIMA (2013 update).

Disclosures for Health Care Operations

Q: May a health care provider use PHI to identify and contact patients who have recovered from COVID-19 to provide them with information about donating blood and plasma to help others?

A: Yes. Using COVID-19 PHI for this purpose is considered health care operations and does not require a health care provider to obtain patient authorization.

HIPAA permits covered health care providers to use or disclose PHI for treatment, payment, and health care operations, among other purposes, without patient authorization. See 45 CFR §§ 164.502(a)(1)(ii) and 164.506. Health care operations include population based activities relating to improving health, and case management and care coordination activities that do not meet the definition of treatment. See 45 CFR § 164.501. An example of case management and care coordination activities that fall within health care operations are where such activities are not connected to the care of a specific patient. Blood and plasma from patients who have recovered from COVID-19 contain antibodies to the coronavirus which will help treat other patients with COVID-19. A health care provider’s use of PHI to contact patients who have recovered from COVID-19 will improve her ability to conduct case management for patient populations with respect to COVID-19.

When using or disclosing PHI for health care operations, the covered health care provider must ensure to use or disclose only the minimum necessary to accomplish the intended purpose. See OCR Guidance.

Disclosures to Close Contacts

Q: What information may be shared by a public health agency with a COVID-19 patient’s friends or family?

A: The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient. See 45 CFR 164.510(b).  Even when the patient is not present or is otherwise incapacitated, a covered entity may share this information with those whom the patient has identified if it determines in exercising professional judgment that doing so would be in the patient’s best interest. These disclosures are not subject to the minimum necessary standard, which requires covered entities to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose.

Additionally, people in close contact with someone who is infected with a virus are at higher risk of becoming infected themselves and of potentially further infecting others. Closely watching these contacts after exposure to an infected person will help them get care and treatment and will prevent further transmission of the virus. The Privacy Rule permits covered entities to disclose necessary PHI without individual authorization to persons at risk of contracting or spreading a disease if other law, such as state law, authorizes the covered entity to notify such persons to prevent or control the spread of the disease or carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv).

The minimum necessary standard applies to these disclosures. See 45 CFR 164.502(b) and 45 CFR 164.514(d). A public health agency should use its discretion when determining the minimum amount of information that must be disclosed to close contacts, such as family members and friends, to prevent or control the spread of the disease.

Q: Is it appropriate for public health agencies to share protected health information of an employee with other employees at the same place of work during this COVID-19 crisis?

A: The HIPAA Privacy Rule recognizes the legitimate need for public health authorities to access PHI that is necessary to carry out their public health mission. The Privacy Rule permits a covered entity that is also a public health authority to use PHI for the purpose of preventing or controlling disease, including the reporting of disease and the conduct of public health surveillance, public health investigations, and public health interventions. See 45 CFR 164.512(b)(1)(i) and 45 CFR 164.512(b)(2).

People in close contact with someone who is infected with a virus are at higher risk of becoming infected themselves and of potentially further infecting others. Closely watching these contacts after exposure to an infected person will help them get care and treatment and will prevent further transmission of the virus. The Privacy Rule permits covered entities to disclose necessary PHI without individual authorization to persons at risk of contracting or spreading a disease if other law, such as state law, authorizes the covered entity to notify such persons to prevent or control the spread of the disease or carry out public health interventions or investigations. See 45 CFR 164.512(b)(1)(iv).

The minimum necessary standard, which requires covered entities to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose, applies to these disclosures. See 45 CFR 164.502(b) and 45 CFR 164.514(d). A public health agency should use its discretion when determining the minimum amount of information that must be disclosed to employees to prevent or control the spread of the disease. This information could include locations, dates, and times of potential exposure. Disclosure of personally identifying information of the infected individuals, such as name, age or job title, is generally not required in such circumstances.

Disclosures through a Health Information Exchange (HIE)

Q: May a health department share COVID-19 test results through a health information exchange (HIE) with health care providers and other health departments for treatment, care coordination, and public health activities?

A: HIPAA permits a covered health department to share COVID-19 test results through an HIE as long as the recipient is permitted to share PHI directly. Thus, a covered health department may share information through an HIE for treatment, care coordination, and public health activities. 45 C.F.R. §§ 164.502(e) and 164.504(e). The health department must have a signed Business Associate Agreement with the HIE that authorizes the disclosure and obligates the HIE to protect the information. Id.

Generally, health departments must also comply with state law and other federal law regarding confidentiality of information. This resource links to state health IT privacy and consent laws. State law and other applicable federal law should be reviewed.

Q: If a health department shares COVID-19 test results through an HIE, will the health department be responsible for another HIE participant’s unauthorized disclosure of the test results?

A: OCR states that “a covered entity [such as a covered health department] is not liable for a disclosure that is based on the non-compliance of another entity within the health information exchange, as long as the covered entity has complied with the Privacy Rule.” OCR FAQ.

Health departments should review state law within their jurisdictions to determine whether they might be immune from liability for participating in the HIE. As of 2018, 42 states, the District of Columbia and two territories have laws related to HIEs. Eight states do not have HIE laws: Alabama, Georgia, Hawaii, Indiana, Michigan, Montana, South Dakota, and Tennessee. Twenty-one states grant immunity to HIE participants. For more information about HIEs and state law, please see this resource.

Q: If a health department shares COVID-19 test results through an HIE, will the health department be responsible for the HIE’s unauthorized disclosure of the test results?

A: Where a covered health department has an appropriate Business Associate Agreement in place with the HIE, it is not directly liable for the HIE’s HIPAA violations. The Business Associate Agreement obligates the HIE to safeguard the COVID-19 test results and to report noncompliance to the covered health department. 45 C.F.R. §§ 164.502(e) and 164.504(e). See, OCR FAQ.

Health departments should review state law within their jurisdictions to determine whether they might be immune from liability for participating in the HIE. As of 2018, 42 states, the District of Columbia and two territories have laws related to HIEs. Eight states do not have HIE laws: Alabama, Georgia, Hawaii, Indiana, Michigan, Montana, South Dakota, and Tennessee. Twenty-one states grant immunity to HIE participants. For more information about HIEs and state law, please see this resource.

Disclosures to a Housing Authority

Q: Can a health department inform a housing authority director and their public safety staff if individuals living in a home supported by the housing authority are subject to a quarantine or isolation order?

A: A health department might use the following framework to evaluate how to proceed: Can I? Must I? Should I?

With respect to “Can I?” the question is whether the health department has legal authority to disclose this information. While it is likely there is legal authority to disclose this information, as discussed below, must the health department notify a housing authority of all residents who are subject to quarantine or isolation orders due to infection or possible infection with COVID-19? Usually not, because the health officer has significant discretion in determining how to protect the public and prevent and control the spread of disease.

The health officer might then analyze “Should I?” This decision is based on professional judgment with input from subject matter experts. The health officer needs to weigh competing interests – balancing the individual’s interest in privacy against protecting housing authority staff, the health care system, and the general public.

With regard to legal authority, the HIPAA Privacy Rule may or may not apply to a health department depending on whether it has separated its HIPAA covered functions (such as the health department’s health care clinics) from those functions that are not covered by HIPAA (such as the health department’s public health disease control functions) through a hybrid designation. To learn more about HIPAA’s application to public health and hybrid entity requirements, please see the Network’s FAQs.  Even if HIPAA does not apply, it represents a minimum standard that is commonly accepted for health information privacy, so it is often a good starting point.

HIPAA prohibits the use and disclosure of identifiable health information (known as “protected health information” or “PHI”) unless the rule requires or permits disclosure. For example, the Rule requires disclosure to an individual who requests his or her own health information or for an investigation by the federal government of an alleged HIPAA violation. 45 CFR 164.502.

HIPAA also includes provisions that permit, but do not require, a HIPAA-covered entity to disclose PHI. Of relevance here, a covered entity may disclose PHI in the following circumstances:

• A covered entity may disclose PHI to “[a] person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.” 45 CFR 164.512(b)(iv). To employ this exception, a health department would need to determine whether a state or local law authorizes the contemplated disclosure as a component of a public health intervention or investigation.

• A covered entity may disclose PHI to anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. 45 CFR 164.512(j). The disclosure must be consistent with applicable law and standards of ethical conduct and made to a person or persons reasonably able to prevent or lessen the threat. A covered entity is presumed to have acted in good faith if the belief is based upon the covered entity’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority. 45 CFR 164.512(j)(4).

In either case, the covered entity must make reasonable efforts to limit information disclosed to that which is the minimum necessary for the intended purpose. 45 CFR 164.502(b).

Whether or not HIPAA applies, states may have their own requirements that apply to disclosure by a state or local health department identifying an individual at risk for developing a communicable disease. For example, Michigan’s Communicable and Related Disease Rules (Rule R 325.181) provide that identifiable medical and epidemiological information collected in connection with a disease investigation is confidential. Accordingly, the rules limit disclosure of this information absent the individual’s consent. An exception to this general rule is where the disclosure is necessary to protect the public’s health as determined by the local or state health officer.

In instances where disclosure is permitted but not required, a health officer should determine whether the disclosure of an individual’s private information related to COVID-19 is necessary to protect the general public as well as housing authority staff. 

Determining whether or not disclosure is necessary requires considering other options, including those which do not involve identifying housing authority residents subject to an isolation or quarantine order. For example, a health department could advise any residents subject to a quarantine or isolation order to notify the housing authority and public safety staff. Alternatively, a health department might inquire into the housing authority’s specific public safety practices to determine the feasibility of disclosing addresses as needed.

Whatever decision is made, the health officer should:

1. Be able to articulate the basis for the decision.
2. Consider what other health departments are doing.
3. Show that alternatives have been considered and weighed. In particular, is the alternative feasible, would it effectively reduce exposure risks, and is there adequate time and resources to implement it?
4. Does the decision take into account both the privacy interests of the affected housing authority resident and the health and safety needs of housing authority staff and other residents?
5. Is there a way to be transparent with individuals – for example, informing individuals both that they should inform the housing authority of the quarantine or isolation order and, additionally, that the health department will be notifying the housing authority of the addresses of individuals subject to these orders.
6. Document the decision and the basis for it.

Absent a clear answer, consider on what side it would be best to err.

Disclosures to a Homeless Shelter

Q: May a healthcare provider disclose the positive COVID-19 status of an individual to a homeless shelter if that individual is a resident?

A: It is important to notify the director or staff of a homeless shelter if a resident has tested positive for COVID-19 so that the shelter can take additional precautions to protect other residents, staff, and volunteers, and can properly monitor the resident for worsening symptoms.

If disclosure to a shelter or other homeless provider is required by state law, the disclosure is permissible under HIPAA. See 45 CFR 164.512(a). HIPAA also permits a covered entity to disclose identifiable health information to anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. The disclosure must be consistent with applicable law and standards of ethical conduct and made to a person or persons reasonably able to prevent or lessen the threat. Additionally, the covered entity must make reasonable efforts to limit information disclosed to the minimum necessary for the intended purpose. In disclosing the information, a covered entity is presumed to have acted in good faith if the belief is based upon the covered entity’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority. See 45 CFR 164.512(j).

CDC has issued guidance to assist homeless service providers, including overnight emergency shelters, day shelters, and meal service providers, in planning and responding to COVID-19. The guidance discusses recommendations on how homeless service providers can protect their staff, clients, and guests.

Q: What information may be shared from the Homeless Management Information System during the COVID-19 outbreak?

A: The Homeless Management Information System (HMIS) is a computerized database that facilitates the information collection on individuals and families that use residential or other homeless assistance services. HMIS Privacy and Security Standards apply to any homeless assistance organization that records, uses or processes protected personal information for a HMIS. These homeless providers are referred to as a covered homeless organization. The Department of Housing and Urban Development has issued guidance that details how participant information can and cannot be shared under the HMIS Standards during the COVID-19 emergency response. The guidance includes several scenarios that cover disclosure to public health authorities, health care providers, first responders and other homeless assistance service providers, among others.

Disclosures to Cities

Q: If a municipality partners with a health department to support physical distancing measures and other public health activities, may a HIPAA covered health department share COVID-19 PHI with the municipality or its agencies under HIPAA’s public health exception?

A: Generally not.

Cities may want to support physical distancing orders to prevent or lessen the spread of COVID-19. For example, cities may utilize their law enforcement agencies to enforce physical distancing orders. Additionally, a city’s communications staff may develop press releases and other messaging to inform residents about COVID-19 and encourage them to utilize safe behaviors. Cities ask whether their support of and collaboration with public health activities make them a public health authority, allowing HIPAA covered health departments, hospitals, clinics and laboratories to share COVID-19 PHI without patient authorization under HIPAA’s public health exception.  45 CFR § 164.512(b).

HIPAA defines a public health authority as follows: “an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.” 45 CFR § 164.501. Consequently, law enforcement and other city services, such as the communications staff, likely do not have public health as part of their official mandate and are not public health authorities. Accordingly, HIPAA’s public health exception is likely not available for data sharing with cities, generally. HIPAA provides alternative legal pathways for covered health departments to share COVID-19 data with specific municipal departments, such as law enforcement. See FAQs.

While a city may not be considered a public health authority, it is part of the broader public health system. The public health system includes a variety of public and private actors, including law enforcement, elected officials, transit, community centers and other municipal actors. The Centers for Disease Control and Prevention’s graphic of the public health system is instructive.

Figure 1: The Public Health System

Depending upon the city’s proposed activities, a health department might determine that the city intends to utilize the data for public health purposes. HIPAA allows a covered health department to share a limited data set of COVID-19 PHI with a city for public health purposes, even where it is not a public health authority. 45 C.F.R. § 164.514(e). A limited data set excludes most direct identifiers of the individual, relatives, employers or household members of the individual, but does include the individual’s town or city, state and zip code. Of note, a limited data set does not include an individual’s street address information. A limited data set allows the covered entity to include specific dates such as date of birth, date of death, date of COVID-19 testing and hospitalization. A covered health department must enter into a data use agreement with the recipient, such as a city, that establishes the permitted uses and disclosures as well as other terms to safeguard the information. Importantly, a recipient of a limited data set is prohibited from re-disclosing the PHI unless permitted under the data use agreement or required by law. Additionally, a recipient is prohibited from re-identifying individuals within the dataset. Id.

The COVID-19 pandemic provides an urgency for public health to partner with municipalities and other cross-sector public health system participants to collaborate around data sharing to inform protecting the health and well-being of their communities. Public health might consider execution of a HIPAA compliant data use agreement to share a limited data set of COVID-19 PHI with a municipality for public health purposes.

Disclosures by School Nurses

Q: A school nurse becomes aware that a student who attends her school has tested positive for COVID-19. May the school nurse notify the health department, school administration, and the school community, such as staff and parents?

A: Yes. The Family Educational Rights and Privacy Act (FERPA) generally requires parental permission for school personnel to disclose personally identifiable information (PII) from a student’s education record (including health information). But the law provides exceptions allowing disclosure without consent. Under the “health or safety emergency” exception, even though a student’s positive COVID-19 test would be considered PII, the school nurse may report this information without parental consent to individuals whose knowledge of the information is necessary to protect the health or safety of students or other individuals. See 20 U.S.C. § 1232g(b)(1)(I); 34 C.F.R. §§ 99.31(a)(10) and 99.36. These may include public health officials, school administration, trained medical personnel, school staff, and parents. The “health or safety emergency” exception is limited in time to the period of the emergency and generally does not allow for a blanket release of PII from student education records. See U.S. Department of Education, Student Privacy Policy Office, FERPA & COVID-19 FAQs.

While many schools that provide health care services may qualify as HIPAA covered entities, school nurses generally are subject to FERPA (and not HIPAA), because the HIPAA Privacy Rule expressly excludes information considered “education records” under FERPA from its requirements. In short, when FERPA applies, HIPAA does not. School nurses practicing in private or parochial schools that do not accept funding under any program of the U.S. Department of Education and also qualify as a HIPAA covered entity may be subject to HIPAA. For more information, see Network for Public Health Law, Data Privacy in School Nursing: Navigating the Complex Landscape of Data Privacy Laws, Part II and HHS guidance on the application of FERPA and HIPAA to student records.

Q: A school nurse becomes aware that the parent of a student who attends her school has tested positive for COVID-19. May the school nurse notify the health department, school administration, and the school community, such as staff and other parents?

A: Nothing in FERPA prevents schools from informing the school community that a specific parent (or teacher or other school official) has tested positive for COVID-19 because FERPA applies only to students’ education records. However, there may be state laws that limit disclosure in certain situations. Though FERPA does not apply to parents, following the same FERPA-compliant practices that the school would for a student is prudent.

Under the health or safety emergency exception, PII may be disclosed to an appropriate party whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. The information disclosed must be the “minimum necessary” to accomplish this purpose. According to the Department of Education Student Privacy Policy Office’s guidance on FERPA and COVID-19:  “In most cases, it is sufficient to report the fact that an individual in the school has been determined to have COVID-19, rather than specifically identifying the student who is infected. School notification is an effective method of informing parents and eligible students of an illness in the school. For settings in which parents are primarily doing drop-offs and pick-ups, posting signs on the doors may be effective. In other settings, sending home or e-mailing a notification may also be effective. These methods serve to notify parents and eligible students of a potential risk, which may be particularly important for students who may be more susceptible to infection or to developing severe complications from an infection, and to alert parents to look for symptoms in their own children and eligible students to more closely monitor themselves for symptoms.”  

The school nurse should also notify the applicable health department of any positive COVID-19 cases and report whatever information is required by the health department.

Reporting to Public Health

Q: How long do providers have to respond to public health’s request for COVID-19 records?

A: The short answer is that it depends upon the jurisdiction’s requirements where the provider practices. Of the states surveyed, reporting time frames ranged from immediately to within 24 hours.

States require communicable disease case reporting for the purposes of disease prevention and control program planning and evaluation, common-source outbreak detection and appropriate medical therapy assurance. See Mandatory Reporting of Infectious Diseases by Clinicians. State legislatures have the authority to require infectious disease surveillance. Some states exercise their authority by requiring case reporting by statute and others provide general authority in statute empowering the state board of health to promulgate regulations defining case reporting requirements. Other states require case reporting under a combination of statute and state health department regulations. Id. States differ with respect to conditions and diseases to be reported, time frames for reporting, persons required to report, agencies receiving the reports, and conditions triggering reports. Additionally, many states encourage reporting to local health departments. Id.

The Council of State and Territorial Epidemiologists (CSTE) provides recommendations to states concerning standardized surveillance case definitions and national notification conditions. On April 5, 2020, CSTE issued recommendations entitled Standardized surveillance case definition and national notification for 2019 novel coronavirus disease (COVID-19). CSTE identified a need for standardized surveillance for COVID-19 so that jurisdictions may better understand disease transmission and epidemiology. Among its recommendations, CSTE urges states and territories to enact laws to make COVID-19 reportable within their jurisdictions and to report case notifications to the Centers for Disease Control and Prevention. Data sources include clinician reporting; laboratory reporting; reporting by other entities such as hospitals and veterinarians; death certificates; hospital discharge or outpatient records; data from electronic medical records; telephone survey; school-based survey; other, such as diagnosis codes and autopsy reports. CSTE recommends that reporting be classified as “immediately notifiable, urgent (within 24 hours)”.

A snapshot of state COVID-19 reporting requirements follows.

Providers and other practitioners should check their local or state health department’s website to find out their COVID-19 reporting requirements, including how quickly they are required to report.

The Network for Public Health Law provides information and education about laws related to the public’s health. We do not provide legal representation or provide advice on a particular course of action.