Complying With HIPAA Privacy Requirements During COVID-19

April 6, 2020

Health Insurance Portability and Accountability Act (HIPAA) regulations still apply during the crisis and should be considered before sharing any health data.

The news of people contracting COVID-19 is all-consuming. Local first responders, business owners, and residents are often interested in knowing if people they come into contact with are contagious. Despite the interest in knowing, there are federal and state laws that often prohibit the sharing of this type of health data.

HIPAA and COVID-19 data sharing

Through this crisis, Health Insurance Portability and Accountability Act (HIPAA) regulations still apply and should be considered before sharing any health data.

There are some circumstances in which the U.S. Department of Health and Human Services allows the sharing of protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19 without the individual’s prior consent. Covered entities may share this information with law enforcement, paramedics, other first responders, and public health authorities when the disclosure is:

  • Needed to provide treatment.
  • Required by law.
  • To notify a public health authority in order to prevent or control spread of disease.
  • To first responders who may be at risk of infection.
  • To first responders and is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
  • To a correctional institution or law enforcement official that requested the information because they have lawful custody of an inmate or other individual.

For more information on how HIPAA can impact cities, see the League of Minnesota’s HIPAA and HIPAA FAQs web pages.

Minnesota law

In addition to the Federal HIPAA regulations, Minnesota law protects health data as private data where individuals are (or can be) identified as the subject of the data. Municipalities may not disclose health records that are received from a provider of health services without patient consent, a specific authority, or a court order.

Municipalities may also collect data themselves or receive health data about individuals from other sources for the purposes of protecting public health. However, this data may not be disclosed without the approval of the commissioner of Health. The only exception to this is when data needs to be shared with another responsible authority, as authorized or required by law.

Please note, Minnesota Statutes, section 144.6581 leaves it to the discretion of the commissioner of Health in deciding whether to share health or epidemiologic data or not.

HIPAA and telehealth

During the COVID-19 crisis, cities may consider implementing alternative communication methods regarding health care information such as video conference calling. The Health Resources and Services Administration of the U.S. Department of Health and Human Services defines telehealth as the use of electronic information and telecommunications technologies to support and promote long distance clinical health care, patient and professional health-related education, and public health and health administration. HIPAA regulations still apply to these types of communication and should be considered whenever personal health information is shared. Consult your city attorney with any questions or concerns regarding HIPAA regulations and your telecommunications process.

If your city receives any protected health information, consult with your city attorney and emergency response leaders to determine how and when PHI can be shared.