HIPAA Disclosures – COVID 19 – First Responders

Provided by CPOA Legal Counsel, Paul R. Coble, Jones & Mayer

A recurrent question of late has been what, if any, information can be relayed to first responders – Police and Fire Emergency Medical Services (“EMS”) concerning potential COVID-19 exposure from a given person and/or location.  Fortunately, guidance has now been had from the U.S. Department of Health and Human Services in an online bulletin received March 31, 2020[1].  Fundamentally, this bulletin establishes that a “covered entity,” within the meaning of HIPAA, may make certain Personal Health Information (“PHI”) available to first responders under specified circumstances such as to prevent spread of a disease or to protect themselves from exposure to a threat to their health, such as COVID-19.

What is meant by “first responders” is commonly understood to be emergency fire, police or medical personnel who are, literally, the first to respond to emergent situations of death, injury or disease.

But what is meant by the term “covered entity” under HIPAA?  According to the website for the National Institutes of Health (https://privacyrulereearch.nih.gov):

Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards.  Generally, these transactions concern billing and payment for services or insurance coverage.  For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities.  Covered entities can be institutions, organizations, or persons.

Certainly, this would include health care providers, clinics, hospitals, and local health officials, as well as cover emergency medical responders such as Fire and EMS.  Police might not fit within the meaning of a “covered entity” which can make such disclosures[2] unless in a jurisdiction where law enforcement provides emergency medical care as part of its public safety mandate.  HHS notes that even a non-covered entity may make such disclosures in the interest of protecting the health of first responders.

For instance:

“A covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis.  The EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment (“PPE”).”

HHS further addressed the issue of inquiries by 911 call centers to callers to attempt to determine if first responders should be placed on notice of the potential for exposure to a disease, such as COVID-19, on a particular call.  Specifically, HHS provided the following example:

“Example: A 911 call center may ask screening questions of all callers, for example, their temperature, or whether they have a cough or difficulty breathing, to identify potential cases of COVID-19. To the extent that the call center may be a HIPAA covered entity, the call center is permitted to inform a police officer being dispatched to the scene of the name, address, and screening results of the persons who may be encountered so that the officer can take extra precautions or use PPE to lessen the officer’s risk of exposure to COVID-19, even if the subject of the dispatch is for a non-medical situation.

Discussion: Under this example, a 911 call center that is a covered entity should only disclose the minimum amount of information that the officer needs to take appropriate precautions to minimize the risk of exposure. Depending on the circumstances, the minimum necessary PHI may include, for example, an individual’s name and the result of the screening.” (Emphasis added.)

HOW THIS AFFECTS YOUR AGENCY

While first responders can be provided this information, care must be taken not to unnecessarily disclose or make public PHI.  The dispatch center should not post the contents of a list of persons with COVID-19, such as on a website or through distribution to the media; nor should it send compiled lists of individuals to first responders.  Disclosures should be made on a per-call basis.

Another practical concern is how information is communicated on a per-call basis.  If the local agency is not equipped with either secure in-vehicle computers or encrypted radio transmissions, responding personnel should be directed to contact the dispatch center via secure phone connection to receive PHI related to the call for service.  Discretion is of paramount importance, and personnel must not discuss PHI except to the extent it is relevant to the proper handling of the given call for service.

As always, if you wish to discuss this matter in greater detail, please feel free to contact Paul Coble at (916) 771–0635 or via email at prc@jones-mayer.com .

Information on www.jones-mayer.com is for general use and is not legal advice.  The mailing of this Client Alert Memorandum is not intended to create, and receipt of it does not constitute, an attorney-client-relationship.

[1] Go to https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf

[2] While a police department itself may not be deemed a covered entity, the City itself would be if it provides fire, paramedics, ambulance services and/or police services by means of which PHI can be obtained by an individual employee in the course of their job duties.  As a result, all employees who may receive such information are bound to hold it in confidence.