Healthcare providers can share COVID-19 patients' medical information without their express authorization to help protect first responders from the risk of infection, the Department of Health and Human Services (HHS) said Wednesday.
HHS' Office for Civil Rights (OCR) issued the guidance (PDF) to clarify the circumstances when providers can share patient data during the coronavirus pandemic.
The idea is to make clear when patients' protected health information (PHI) can be given to law enforcement, paramedics or other first responders so they can take extra precautions or use personal protective equipment (PPE) and to remind covered entities to follow the “minimum necessary” rule in the process.
The guidance applies to healthcare providers as well as other "covered entities" under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and applies to individuals who have been infected with or exposed to COVID-19.
According to OCR, hospitals, clinics and other providers can disclose patients' PHI, such as the name or other identifying information, without their HIPAA authorization, when it's needed to provide treatment or required by law.
Other circumstances when this permission applies includes when law enforcement, paramedics or other first responders may be at risk for infection and when disclosure is necessary to "prevent or lessen a serious and imminent threat."
As one example, a hospital can provide a list of names and addresses for people it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatcher for use on a per-call basis. The EMS dispatch could use the information to inform paramedics or fire departments responding to a particular emergency call so they can take precautions or use PPE.
Hospitals, clinics and health plans must make "reasonable efforts" to limit the PHI used or disclosed to what is the "minimum necessary" to accomplish the purpose for the disclosure, OCR said.
"Our nation needs our first responders like never before and we must do all we can to assure their safety while they assure the safety of others," said Roger Severino, OCR director. "This guidance helps ensure first responders will have greater access to real-time infection information to help keep them and the public safe."
The HIPAA Privacy Rule protects the privacy of patients’ PHI but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health and for other critical purposes, according to OCR.
HHS urges healthcare organizations to consult state and local statutes and regulations before disclosing patients' personal information. State and local laws may place further restrictions on disclosures that would otherwise be permitted by HIPAA.