Getty Images

OCR Shares COVID-19 PHI, Data Sharing Guidance for First Responders

In light of the COVID-19 pandemic, OCR provided insights on how protected health information can be shared with first responders and law enforcement in compliance with the HIPAA Privacy Rule.

The Office for Civil Rights released guidance for how protected health information on patients exposed or infected with COVID-19 can be shared with first responders, such as law enforcement, paramedics, and public health authorities, in compliance with the HIPAA Privacy Rule.

HIPAA allows for sharing of information of patients infected or exposed to the Coronavirus with law enforcement, paramedics, and other first responders without an individual’s authorization in certain circumstances.

In the guide, OCR clarifies regulatory permissions covered entities may use to disclose PHI to first responders and others. Health organizations can leverage the guide to determine the circumstances in which a covered entity is permitted to disclose PHI without their HIPAA authorization, when it’s needed to provide treatment, required by law, and when first responders are at risk for infection.

Disclosure is also permitted when responding to a PHI request from a correctional institution or law enforcement official who is in lawful custody of the individual, and the information is needed to provide healthcare to the patient and to ensure the health and safety of the individual or those present at the correctional institution or those responsible for transporting the patient.

The guide also sheds light on when disclosure may be necessary to prevent or lessen a serious or imminent threat.

"Our nation needs our first responders like never before, and we must do all we can to assure their safety while they assure the safety of others," said OCR Director Roger Severino, in a statement. "This guidance helps ensure first responders will have greater access to real time infection information to help keep them and the public safe.”

OCR also provided examples of other circumstances where disclosure is permitted.

“A covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis,” according to the guide.

“The EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment (PPE),” it added.

However, the covered entity may not post these contents publicly or distribute the list to the media. The list should also not be distributed to the EMS personnel, rather the information should only be disclosed about the individual in question, on a per-call basis.

Lastly, a 9-1-1 call center asking screening questions about a patient with potential COVID-19 symptoms will be permitted to inform the police officer dispatched to the scene to allow the officer to take precautions to reduce exposure.

The hope is that information will allow first responders to take extra precautions or use personal protective equipment to prevent exposure to patients with suspected COVID-19 symptoms.

“Except when required by law, or for treatment disclosures, a covered entity must make reasonable efforts to limit the information used or disclosed under any provision listed above to that which is the ‘minimum necessary’ to accomplish the purpose for the disclosure,” according to the guide.

HHS and OCR have released several insights in light of the Coronavirus outbreak to ensure providers are able to share information as fluidly as possible. Officials have also waived certain HIPAA provisions to accomplish those goals, while expanding telehealth use and lifting some penalties.

Next Steps

Dig Deeper on HIPAA compliance and regulation