By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
As we continue to make our way through new territory with the COVID-19 crisis, we are having to adjust the rules and regulations that previously stood in place. HIPAA is no exception to that.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has continued to update the guidelines under these circumstances. Recently, they have provided a new document for guidance on examples of allowable disclosures of protected health information (PHI) by covered entities under the HIPAA privacy rule for first responders and others who receive PHI about individuals that are displaying COVID-19 symptoms, or have been exposed to the 2019 Novel Coronavirus, SARS-COV-2.
Structured in a question and answer format, this document explains when those covered entities are permitted to disclose PHI to law enforcement officers, first responders, paramedics, and public health officials without having to obtain HIPAA authorization. This would include the individual’s name or other identifying information. OCR confirms that providing this PHI is permitted to provide treatment in order to prevent the responder from contracting COVID-19 and to reduce and prevent further infection of the individual providing treatment.
Additionally, the 911 call center staff can ask about the patient symptoms in order to assess the risk of COVID-19 infection and can pass that information along to first responders. A hospital may also provide names and addresses for individuals known to have tested positive for COVID-19 when responding to the EMS dispatch but on a per-call basis. This provides adequate time to give personnel a chance to ensure their own safety by wearing personal protective equipment.
The OCR goes on to further explain that the PHI is permitted when a correctional institute or law enforcement official is in the lawful custody of an inmate or individual and has requested the PHI to provide healthcare services to that individual. This is done to ensure the safety of both the individual providing the treatment or transport as well as the other individuals at the institution. This provides safety and security for the collective group.
As with any disclosure of protected health information, efforts should be taken to guard the patient’s identity and well-being as best as possible.
The OCR recognizes that we are in unprecedented times, and therefore need to respond accordingly. We expect that this won’t be the last time we hear of modifications to existing laws and regulations during this time of uncertainty.
This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.
HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.
Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE