Novel Coronavirus Outbreak Prompts HHS Covered Entity HIPAA Data Sharing Warning

In response to the 2019 Novel Coronavirus outbreak, the Department of Health and Human Services has released a bulletin to make HIPAA-covered entities aware of the allowable methods for sharing patient information during outbreaks of infectious disease and other emergency situations,

In the news release, the HHS confirmed that at such times, the protections of the HIPAA Privacy Rule still apply and healthcare organizations must continue to apply administrative, technical, and physical security measures to ensure the confidentiality, integrity, and availability of protected health information (PHI).

Under the HIPAA Privacy Rule, covered entities are allowed to share patient information without authorization for treatment purposes, care coordination, consultations, and referrals of patients for medical treatment.

In situations when patients are suffering an infectious disease such as COVID-19, there is a genuine need for data to be shared with public health authorities and others responsible for ensuring public health and safety. Those entities may need to be supplied with PHI to allow them to carry out their public health missions. In such instances, the HIPAA Privacy Rule allows covered entities to share PHI with those entities and individual authorizations are not necessary.

That includes sharing private personal information with the Centers for Disease Control and Prevention (CDC) and state and health departments authorized by law to be sent information to prevent or control disease and injury. Directed by a public health authority, PHI may also be shared with foreign government agencies that are operating with public health bodies. Data can also be shared with people believed to be in danger of contracting or spreading disease, if other laws, such as state laws, authorize the covered entity to notify such persons to help prevent the spread of disease or to carry out public health inquiries.

PHI can also be shared with friends, family members, and other individuals involved in the care of a patient, including sharing data about a patient, as required, to identify, locate, and notify family members, guardians, and others responsible for the patient’s treatment, of the patient’s location, general condition, or death.

At times like this, verbal permission should be obtained from the patient or if the patient is unconscious or incapacitated, professional judgement should be used to determine if the patient would not object to data sharing with friends and family members.

Patient information may also be shared to eliminate or lessen a serious or imminent threat to the health and safety of a person or the public, consistent with applicable legislation. Generally speaking, providing specific information about a patient to the media or public at large is not allowed.

All allowable sharing of patient information is subject to the minimum necessary rule. Shared information should be restricted to the minimum necessary amount to accomplish the aim for which information is shared.

Author: Elizabeth Hernandez

Elizabeth Hernandez works as a reporter for Her journalism is centered on IT compliance and security. With a background in information technology and a strong interest in cybersecurity, she reports on IT regulations and digital security issues. Elizabeth frequently covers topics about data breaches and highlights the importance of compliance regulations in maintaining digital security and privacy. Follow on X: