Finally! Feds tell hospitals they may share information about COVID-19 patients with first responders
HIPAA-covered entities may share protected health information when first responders may be at risk of infection
By Steve Wirth, Esq., EMT-P
Many hospitals and healthcare facilities have long resisted sharing any protected health information (PHI) about patients with their EMS agency partners, even when sharing that important information was permissible under HIPAA.
Now, in the midst of the COVID-19 pandemic, the HHS Office of Civil Rights (which enforces HIPAA) has issued important guidance to those facilities that should help clear the way for better information sharing about COVID-19 infected patients with first responders, paramedics and EMS agencies.
The March 24, 2020, guidance clarifies that the HIPAA privacy rule permits a covered entity (e.g., hospitals, nursing homes and other medical facilities) to disclose the PHI of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders and public health authorities. The circumstances described in the guidance are exceptions to the general rule that covered entities may not disclose PHI to others without authorization of the patient and are not new – they’ve always been in the regulations:
- When the disclosure is needed to provide treatment. Permits disclosure of PHI about an individual who has COVID-19 to EMS personnel who will provide treatment while transporting the patient to a hospital emergency department or other location.
- When notification is required by law. Permits disclose of PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
- To notify a public health authority in order to prevent or control spread of disease. Permits disclosure of PHI to a public health authority (such as the CDC, or state, tribal, local and territorial public health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury or disability, including for public health surveillance, public health investigations and public health interventions.
- When first responders may be at risk of infection. Permits disclosure of PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law to notify persons as necessary in the conduct of a public health intervention or investigation. HIPAA permits a county health department to disclose PHI to a police officer or other person who may have had contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.
- When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. This exception has not been used often under HIPAA as it is ordinarily a rare occurrence when it would be invoked – rare until now that is, with a nationwide pandemic of a dangerous and highly contagious virus! This exception permits disclosure of PHI to prevent or lessen a serious and imminent threat to a person or the public, when the disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat.
This exception permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about patients – who have tested positive for COVID-19 – to fire department personnel, paramedics, EMTs, ambulance services and others charged with protecting the health or safety of the public. To make the disclosure, the covered entity must have a good faith belief that the disclosure is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. This exception gives hospitals and any medical facility receiving an EMS patient the authority to share with that EMS agency and its personnel who transported the patient whether the patient was a positive COVID-19 patient, without the authorization of the patient.
Only share private health information that is necessary to share
One important consideration, as explained in the guidance, is that except when required by law or for treatment disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” amount to accomplish the purpose for the disclosure. For example, in sharing PHI about a positive COVID-19 patient to EMS providers, it would likely not be necessary to share information about the patient’s other diagnoses or non-contagious medical conditions, as those conditions would likely not pose a threat to the EMS providers.
The HIPAA guidance provides real-life EMS examples
OCR specifically uses two common EMS examples in explaining the regulations:
Example 1: A covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch [center] for use on a per-call basis. The EMS dispatch [center] would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment (PPE).
Under this example, the OCR states that a covered entity should not post the contents of such a list publicly, like on the EMS agency’s website or through distribution to the media. A covered entity also should not distribute compiled lists of individuals who are COVID-19 positive to EMS personnel. Instead, it should disclose only an individual patient’s information on a “per-call basis.” Sharing the lists or disclosing them publicly would not ordinarily constitute the minimum necessary amount of information to accomplish the purpose of the disclosure (i.e., protecting the health and safety of the first responders from infectious disease for each particular call).
Example 2: A 911 call center may ask screening questions of all callers, for example, their temperature, or whether they have a cough or difficulty breathing, to identify potential cases of COVID-19. The call center is permitted to inform a police officer being dispatched to the scene of the name, address and screening results of the persons who may be encountered so that the officer can take extra precautions or use PPE to lessen the officer’s risk of exposure to COVID-19, even if the subject of the dispatch is for a non-medical situation and even if the dispatch center is a covered entity under HIPAA. (And most public agency 911 centers are not covered entities under HIPAA, so the HIPAA regulations would likely not apply to them).
This example would most certainly permit a situation where the 911 center shared essential information about a COVID-19 patient with any responding EMS or first responder entity. But what information may be shared with first responders and EMS? The minimum amount of information that would be necessary so that responders may take appropriate precautions to minimize the risk of exposure, such as PPE including masks and face shields. OCR says this may also include the patient’s name and the results of their COVID-19 screening.
Hospitals may share private health information with EMS
These rules and the guidance are very helpful in ensuring that EMS agencies have access to essential information about contagious patients they transport. They help take away the “hide behind HIPAA” approach that some hospitals and facilities have followed to completely shut down any sharing of patient information with EMS. The problem is that this is a permissive regulation – meaning that hospitals “may” share this PHI with EMS – but they are not required to do so.
Enter Ryan White
Remember Ryan White? That’s the federal law named in honor of an Indiana teenager who lost his life to AIDS after contracting the disease through a tainted blood transfusion. The Ryan White HIV/AIDS Treatment Extension Act of 2009 requires a medical facility to notify, upon request, an emergency response agency if a patient transported by that agency to the medical facility is diagnosed with a potentially life-threatening infectious disease. The notification provisions are now contained in the Public Health Services Law of 2019, Title 26, Part G. It’s been applied in the context of AIDS, Ebola and SARS in the past.
But does the Ryan White Law apply to hospitals and this COVID-19 pandemic? We believe that it does – and so does nationally known EMS infection control expert and author Katherine West, BSN, MSEd. According to West, “COVID-19 is the disease caused by the novel coronavirus SARS-CoV-2, which is in the SARS-CoV family. SARS-CoV and Novel Influenza A viruses are on the CDC list of Potentially Life-Threatening Infectious Diseases: Routinely Transmitted Through Aerosolized Droplet Means which we believe would encompass this novel coronavirus. As such, we believe COVID-19 notifications would be covered by the Ryan White Law.” In that case, West explains, “hospitals would be required to notify the EMS agency designated infection control officer, and then that officer would need to determine whether an exposure to EMS agency personnel actually occurred.”
To help ensure the health and safety of all personnel, EMS agencies should make sure that all pertinent assessment and medical history information is thoroughly documented on the patient care report – especially any signs or symptoms that a patient may have that could indicate active or potential infection with the COVID-19 disease. All EMS field personnel must promptly report a potential COVID-19 patient exposure to a supervisor as well as hospital personnel. Hopefully, with better knowledge about what’s permitted under HIPAA, combined with an understanding of the need to share COVID-19 patient information with EMS providers, hospitals and medical facilities can do the right thing to help reduce the risk of COVID-19 spreading in the EMS community.
The OCR Guidance can be found here.
Update Mar. 27, 2020:
Good news! COVID-19 is now explicitly covered as a disease for which the notification provisions of the Ryan White Law apply. NIOSH has just updated the "List of Potentially Life-Threatening Infectious Diseases to which Emergency Response Employees May be Exposed" to include the addition of COVID-19, the disease caused by the virus SARS-CoV-2. An updated CDC/NIOHS CDC guidance document just released also has added the definition of those covered as ‘Emergency Response Employees (EREs) and includes “firefighters, law enforcement officers, paramedics, emergency medical technicians, funeral service practitioners, and other individuals (including employees of legally organized and recognized volunteer organizations, without regard to whether such employees receive nominal compensation) who, in the course of their duties, respond to emergencies in the geographic area involved.”
The list and accompanying guidelines, originally published in a 2011 Federal Register notice, are republished in this document with these updates:
Infectious Diseases and Circumstances Relevant to Notification of Emergency Response Employees: Implementation of Sec. 2695 of the Ryan White HIV/AIDS Treatment Extension Act of 2009 pdf icon
About the author
Steve Wirth is a founding partner of Page, Wolfberg & Wirth, LLC and a highly regarded EMS attorney, author and speaker.