The guidance clarifies the regulatory permissions that covered entities may use to disclose Protected Health Information (PHI) to first responders and others so they can take extra precautions or use personal protective equipment. The guidance explains the circumstances under which a covered entity may disclose PHI, such as the name or other identifying information about individuals, without their HIPAA authorization, and provides examples and discussions including:
When needed to provide treatment. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department.
When required by law. The Louisiana Department of Health, Office of Public Health (LDH/OPH) recently adopted an Emergency Rule that adds COVID-19)/infections with SARS-CoV-2 to the list of reportable diseases and conditions. See https://www.lammico.com/article/COVID-class-A
When first responders may be at risk for an infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.
When disclosure is necessary to prevent or lessen a serious and imminent threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.
The Guidance also includes a reminder that generally, covered entities must make reasonable efforts to limit the PHI used or disclosed to that which is the "minimum necessary" to accomplish the purpose for the disclosure.
The Guidance may be found here.