What You Need to Know about COVID-19 and HIPAA

What You Need to Know about COVID-19 and HIPAA

Published: August 31st, 2020

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance and clarity regarding disclosures of protected health information (PHI) during the Coronavirus (COVID-19) global pandemic.

Under HIPAA law, a covered entity is allowed to disclose the protected health information (PHI) of an individual infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization, in certain circumstances. These conditions include:

  1. When the disclosure is necessary to provide treatment
    1. Example: HIPAA allows a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital.
  2. When such notification is required by law
    1. Example: HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 under state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
  3. To notify a public health authority to prevent or control the spread of disease
    1. Example: HIPAA permits a covered entity to disclose PHI to a public health authority (such as the Centers for Disease Control and Prevention (CDC), or other public health departments) that are authorized by law to collect or receive PHI to prevent or control disease, injury, or disability.
  4. When first responders may be at risk of infection
    1. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation.
  5. When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public
    1. Example: HIPAA permits a covered entity to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.
  6. When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, if the facility or official represents that the PHI is needed for:
    1. providing health care to the individual;
    2. the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
    3. law enforcement on the premises of the correctional institution; or
    4. the administration and maintenance of the safety, security, and good order of the correctional institution.

Example: HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional officers at the facility for the health and safety of all people at the facility.

General Considerations: Except when required by law, or for treatment disclosures, a covered entity must make reasonable efforts to limit the information used or disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

For further information visit:


If your practice is seeking safety or HIPAA training, contact the experts at MedSafe. MedSafe is the nation’s leading one-stop resource for outsourced safety, training, and health compliance solutions. We offer a wide variety of onsite and online training courses, including OSHA Safety, Corporate Compliance, HIPAA, Billing Compliance, and Harassment and Discrimination in the Workplace.

MedSafe is offering a free course on social distancing coming soon!

Contact us today for a free training consultation.

Toll-free: (888) MED-SAFE