In new guidance, the HHS Office for Civil Rights (OCR) has authorized hospitals and other covered entities (CEs) that may be faced with demands from first responders and law enforcement to provide a list of patients who have tested positive for COVID-19.[1]
But whether the strategies offered—including to limit the disclosure to dispatchers only—are workable remain to be seen, particularly given how fraught the relationship between the police and caregivers can be. It was just three years ago that dramatic body camera video showed the handcuffing of a Utah nurse who refused to allow a police official to take blood from a patient with serious burns who later died.[2] (The nurse received a $500,000 settlement from the Salt Lake City police department and the University of Utah, which owns the hospital, and the officer was fired.)
In addition, Jeff Drummond, an attorney with decades of experience in HIPAA matters, tells RPP that the use of a patient list, particularly when shared with law enforcement or firefighters, might be problematic and advises giving the guidance thoughtful consideration before implementation.
Titled “COVID-19 and HIPAA: Disclosures to law enforcement, paramedics, other first responders and public health authorities,” the guidance, issued March 24, differs little from how disclosures to these groups have historically been interpreted by OCR.[3] Generally speaking, no patient authorization is required for sharing of protected health information (PHI) with public health entities and to protect against imminent danger, for example.
Where the guidance may break new ground—reflecting what one OCR official called “creative thinking” and “further steps” on the agency’s part—is in its recommendations about the use of lists of patients affected by COVID-19.
Speaking March 30 at the virtual Compliance Institute sponsored by RPP publisher the Health Care Compliance Association, Timothy Noonan, OCR deputy director for health information privacy, discussed the guidance and fleshed out some of the examples the agency offered.
Allowable Situations Outlined
The guidance is basically an elongated answer to one FAQ: “Does the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow a covered entity to share the name or other identifying information of an individual who has been infected with, or exposed to, the virus SARS-CoV-2, or the disease caused by the virus, Coronavirus Disease 2019 (COVID-19), with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization?”
The answer is yes, and that such sharing can be done “without the individual’s HIPAA authorization, in certain circumstances.” These include the following:
-
“When the disclosure is needed to provide treatment. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department. 45 C.F.R. § 164.502(a)(1)(ii); 45 C.F.R. § 164.506(c)(2).
-
“When such notification is required by law. For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. 45 C.F.R. § 164.512(a).
-
“To notify a public health authority in order to prevent or control spread of disease. For example, HIPAA permits a covered entity to disclose PHI to a public health (such as the Centers for Disease Control and Prevention (CDC), or state, tribal, local, and territorial public health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions. 45 C.F.R. § 164.512(b)(1)(i); see also 45 C.F.R. § 164.501 (providing the definition of “public health authority”).
-
“When first responders may be at risk of infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 C.F.R. § 164.512(b)(1)(iv).
-
“When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. 45 C.F.R. § 164.512(j)(1).”
The last two bullet points may represent the biggest changes and challenges that hospitals and others may face compared to disclosures they made pre-pandemic, and OCR explored them in more detail in two subsequent examples in the guidance.
OCR: Share List With Dispatchers Only
As Noonan noted during his talk, OCR “took some further steps to help protect law enforcement and first responders by offering examples of how lists of individuals can be used while still maintaining some privacy protections.”
The guidance states the following:
A covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment.
Then OCR provides more details, stating that, “Under this example, a covered entity should not post the contents of such a list publicly, such as on a website or through distribution to the media. A covered entity under this example also should not distribute compiled lists of individuals to EMS personnel, and instead should disclose only an individual’s information on a per-call basis.”
OCR appears to be using hospital and EMS interchangeably when referring to not posting the list or disclosing it to the media.
Elaborating on the language regarding sharing information on a per-call basis, Noonan said this is what complies with the minimum necessary standard, which is still in effect. “Sharing the lists or disclosing the contents publicly would not ordinarily constitute the minimum necessary to accomplish the purpose of the disclosure (i.e., protecting the health and safety of the first responders from infectious disease for each particular call),” the guidance states.
‘Set Something Up’
He repeated that the “list can go to the dispatch, and the dispatch could use an individual name off the list on a per-call basis.”
It’s not clear how a hospital would be able to control the list once it is out of its hands, but Noonan said a provider should try to work with dispatch units, whether EMS, fire or law enforcement, “and set something up” whereby there is a central disclosure point “and the officers could get confirmation before responding to a scene.”
The guidance also states that a 911 call center could ask callers screening questions to determine if there is a risk of COVID-19 exposure. The call center “would be permitted to inform a police officer being dispatched to the scene … of the name, address and screening results for the person who may be encountered so that the officer can take extra precautions or use personal protective equipment to lessen their risk of exposure to COVID-19 even if the [purpose] of the dispatch is for a nonmedical situation,” Noonan said.
During the talk, a participant asked if a hospital would be able to share the negative status of a patient, but the question went unanswered. Noonan said, however, that OCR will be issuing additional guidance to address related topics.
The written guidance states that “the examples are not intended to imply that all” 911 call centers “are covered by HIPAA and are required to comply with the HIPAA Rules.”
‘Grave Reservations’ Expressed
Drummond, a partner with Jackson Walker LLP in Dallas, expresses concern about the use of patient lists. Hospitals, he says, are already required to report COVID-19-positive patients to health authorities on a daily basis, and perhaps that’s where the information should reside.
“Personally, I have a lot of grave reservations about the ‘providing a list’ concept” to first responders, he tells RPP. “I would be much more comfortable with the CE making the list, and even sharing with all other CEs in the geographic area—or better yet the county health department or other public health agency—and responding with a yes/no when EMS is called out for a patient, or when police have a person in custody.”
EMS personnel should probably be “treating every patient as a possibly infected person, but [I] wouldn’t expect cops, much less firefighters, to be always gloved and masked when they’re on patrol,” says Drummond, so for the latter two groups, “the ability to know that a particular person poses a higher risk is more relevant.”
But, he says, “I don’t want the list provided to cops and firefighters”—perhaps even if the distinction is made that it only goes to dispatch.
“OCR is saying you can give the list to dispatchers whether they are CEs or not, so you can, for now,” adds Drummond. “The regs themselves require an underlying provision of law, that i.e., ‘authorized by law,’” which OCR is allowing by way of its guidance.
CE May Not Know Whom to Trust
Given this, a CE “could take great comfort that you would not be prosecuted if you just handed them the list and hoped for the best,” says Drummond, who offered praise, in general, for OCR’s attempts to outline flexibilities and respond to the pandemic.
But, he adds, “Should you? Not if there’s an equally effective way to get the information out when needed but keep it under better control and more secure with someone who knows and is responsible under HIPAA. I love cops and firefighters, but I wouldn’t trust every single one of them not to abuse this list, and since the CE wouldn’t know which one to trust, even disclosing to a single law enforcement contact is too risky. Also, if the hospitals and doctors are required by law to report positive cases to the health authority, let the health authority hold the list and answer the queries from dispatch.”
Drummond points out that this is like any permissible use or disclosure under HIPAA—it must be made deliberately.
“You should always analyze the risk, determine solution/options, look at mitigation strategies, weigh pros/cons, etc. for any use or disclosure,” he says. “Reasonable determinations made in good faith reliance on a security risk analysis aren’t HIPAA violations, even if they turn out to be wrong.”
And, to stress a principle underlying HIPAA compliance efforts, Drummond adds: “the fewer people who hold the info, the greater the security.”
Contact Drummond at jdrummond@jw.com.
