HIPAA Guidelines and COVID-19

In response to the COVID-19 pandemic, the US Department of Health and Human Services (HHS) has issued special guidance regarding sharing information about patients, including people infected with the SARS-CoV-2 virus.

HIPAA and COVID Guidelines

HIPAA is widely known for its Privacy Rule, which safeguards protected health information (PHI) of individuals from disclosure by healthcare providers, healthcare networks, insurance companies, and other covered entities. In response to the COVID-19 pandemic the Department of Health and Human Services (HHS) has issued special guidance with respect to the sharing of information about patients, including people infected with COVID-19.

For most covered entities, the exceptions granted by HHS fall under two distinct categories. First, HHS guidance allows for sharing information about COVID-infected patients with law enforcement, paramedics, and other first responders; as well as with public health authorities at the national, state, and local levels. Second, HHS has provided guidance that allows covered entities to share PHI with Health Information Exchanges (HIEs) under certain circumstances.

Let’s look at each of these categories in turn.

Disclosure to First Responders & Public Health Authorities

Within limited parameters, HHS guidance permits the disclosure of information about infected patients to law enforcement, paramedics, and other first responders, as well as to public health authorities (PHAs). Specifically:

  • When the disclosure is needed to provide treatment. For example, infection status may be disclosed to ambulance personnel transporting a patient with COVID who accordingly requires specific treatment.

  • When such notification is required by law. If state law requires such notification, for example, it is not considered a violation of the HIPAA Privacy Rule.

  • To notify a public health authority in order to prevent or control the spread of disease.

  • When first responders may be at risk of infection. For example, a covered entity may share PHI if they believe that it’s necessary to protect police or fire department personnel, child welfare or mental health workers, or others performing a public health and safety function, provided that the covered entity believes in good faith that the disclosure is necessary to prevent or minimize the threat of exposure to that personnel.

  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. In other words, when first responders need to know about a possible infection in order to protect others.

  • When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual.

Although HHS guidance allows for the sharing of PHI under the circumstances mentioned above, covered entities are still responsible for making reasonable efforts to limit the amount of information they disclose, and the parties to whom they disclose it. HHS requires that the “minimum necessary” disclosures be made in order to accomplish the intended purpose.

Sharing PHI with Health Information Exchanges

The second important category of the guidance relates to Health Information Exchanges (HIEs), which are organizations that enable the sharing of electronic protected health information (ePHI) among more than two unaffiliated entities. Generally, these exchanges exist for the purpose of facilitating treatment, payment, or health care operations, but they may also report information to public health authorities (PHAs) and perform statistical analysis of the data they collect.

Covered entities may share information with HIEs under the following circumstances:

  • When the disclosure is required by law. If state law requires such disclosure, for example, it is not considered a violation of the HIPAA Privacy Rule.

  • When the HIE is a business associate of the covered entity (or of another business associate) that wishes to provide PHI to a PHA. For example if the covered entity directs the HIE to report PHI to the department of public health at the local or state level, as a measure aimed at protecting public health from the spread of COVID-19.

  • When an HIE is acting under a grant of authority or contract with a PHA for a public health activity. For example, if a state public health agency contracts with an HIE to collect data from healthcare providers, those providers may share PHI with the HIE in accordance with that program, even if they don’t have a business associate relationship with the HIE.

If your organization is a covered entity under HIPAA, it’s important to be aware of these guidelines pertaining to COVID-19. At WestFax, we’ve been working with HIPAA-covered entities for years, providing secure, cloud-based Healthcare Fax services that help our clients stay on the right side of HIPAA privacy rules. If you’d like to sign up for one of our plans, visit our Healthcare Fax page to learn more.

Need more information? Contact us at 800-473-6208 and we can help you better understand which plan will work best for you.

Discover more

Workflow chart on whiteboard
Blog Article

How OCR data extraction from documents is crucial in many workflows

Digitization of work and increasing automation show what the current pace of technological growth means for the future of work. Let’s look at how extracting data from documents is key for many workflows.

GMail logo
Blog Article

Is Email HIPAA Compliant?

Although it’s possible to take steps that make e-mail more secure, there are always some risks involved. Even encrypted e-mails might not always pass muster. If your organization plans to use e-mail to send protected health information (PHI), it’s important to consider the risks very carefully.

Bundles of copper wire
Blog Article

The End of the Line for Copper Phone Lines

The age of the plain old telephone service (POTS) and ISDN will officially come to an end in August of this year. Now is the time to get your Fax moved to the cloud!

Want to read more about HIPAA Compliant Fax?