HIPAA and COVID-19: What Healthcare Providers Need to Know

Healthcare Consultant
Excelsis Enterprises, Inc
Houston, TX

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule protects the privacy of patients’ health information (protected health information [PHI]) but is balanced to ensure appropriate use and disclosure of the information when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, healthcare clearinghouses, and those healthcare providers that conduct 1 or more covered healthcare transactions electronically, such as transmitting healthcare claims to a health plan. Business associates (including their subcontractors) are persons or entities (other than a covered entity’s workforce) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting PHI. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis).1 There may be other state or federal rules that apply.

Since HIPAA was enacted in 1996, the United States has not faced a disease outbreak of COVID-19’s magnitude. Accordingly, the Office of Civil Rights and covered entities have never needed broad-sweeping waivers or public health pronouncements regarding health information privacy like those currently being contemplated. As a result, the pandemic has resulted in additional challenges for healthcare providers. Specifically, there are many questions that arise regarding the ability of entities covered by HIPAA regulations to share information. The HIPAA Privacy Rule allows patient information to be shared to assist in nationwide public health emergencies and to assist patients in receiving the care they need. Although the HIPAA Privacy Rule is not suspended during a public health emergency, the Secretary of the US Department of Health & Human Services may waive certain provisions of the rule under the Project Bioshield Act of 2004 of the Social Security Act.2 The following is a summary of how HIPAA applies to patient confidentiality during the COVID-19 pandemic.


Even without a waiver, the HIPAA Privacy Rule always allows patient information to be shared in the following circumstances.

  • To Public Health AuthoritiesFederal and state laws allow disclosure of health information without the patient’s authorization to public health authorities and others responsible for ensuring public health and safety that is necessary to carry out their public health missions (eg, the Centers for Disease Control and Prevention [CDC], state and local health departments). This would include, for example, the reporting of disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. A covered entity could, therefore, disclose PHI on an ongoing basis as needed to report all previous and prospective cases of patients exposed to—or suspected or confirmed to have—COVID-19 to the CDC.3
  • To Persons at RiskFederal and state laws permit disclosure of a patient’s PHI to a person at risk for contracting or spreading a disease as necessary to prevent or control the spread of the disease. Thus, covered entities may disclose PHI about an individual who has been infected or exposed to COVID-19 to law enforcement, paramedics, or other first responders without HIPAA authorizations.3

Allowable - With Caution

  • To Family, Friends, and Others Involved in the Patient’s CareFederal and state laws allow disclosure of health information to the patient’s family members, friends, and other persons who have been identified by that patient as being involved in their care. The practice should obtain verbal permission from the patient when possible or be able to reasonably infer that the patient does not object. In addition, the practice may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, when necessary, notifying family members and others, the police, the press, or the public at large.3
  • For NotificationsA practice may share PHI with disaster relief organizations (ie, the American Red Cross) that are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. In this situation, a HIPAA authorization is not needed to share PHI if doing so would interfere with the organization’s ability to respond to the emergency.3
  • To Prevent a Serious and Imminent ThreatA practice may disclose a patient’s health information to anyone who is in a position to prevent or lessen the serious and imminent threat, including family, friends, caregivers, and law enforcement, without a patient’s permission. HIPAA expressly defers to the professional judgment of healthcare providers in making determinations about the nature and severity of the threat to health and safety.3

Not Allowable

  • Media and Others Not Involved in the Patient’s CareReporting to individuals not involved in the patient’s care, the media, or the public at large about an identifiable patient, or the disclosure to others not involved in the patient’s care, the public, or media regarding specific information about treatment of an identifiable patient, such as specific tests, test results, or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a person legally authorized to make healthcare decisions for the patient).3


Practices should have policies and procedures in place that describe how they will release information during an emergency. Although federal and state laws allow for disclosure of PHI for specific reasons, discussed in this article, providers must make reasonable efforts to limit the disclosure to the minimum necessary to accomplish the purpose of the disclosure. Even in emergency situations, practices must continue to implement reasonable safeguards to protect patient information from impermissible use and disclosures.


  1. US Department of Health & Human Services. Public health. www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html. Accessed December 13, 2020.
  2. US Department of Health & Human Services. Emergency situations: preparedness, planning, and response. www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html. Accessed December 13, 2020.
  3. US Department of Health & Human Services. HIPAA, health information exchanges, and disclosures of protected health information for public health purposes. December 18, 2020. www.hhs.gov/sites/default/files/hie-faqs.pdf. Accessed December 13, 2020.
Article provided through a partnership with
Practice Management Institute
Michigan Society of Hematology & Oncology

Related Articles

Subscribe to
Oncology Practice Management

Stay up to date with oncology news & updates by subscribing to recieve the free OPM print publications or weekly e‑Newsletter.

I'd like to recieve: