On December 18, 2020, the Office for Civil Rights (OCR) of the Department of Health and Human Services published a guidance document addressing circumstances in which a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) or its business associate may disclose protected information (PHI) to a public health authority through a health information exchange (HIE). Some circumstances in which PHI may be disclosed are in effect only during the COVID-19 public health emergency (PHE). Covered entities need to be aware of this limitation, and prepare to terminate or modify these arrangements when the PHE terminates. If a covered entity is using an HIE to transmit PHI to a public health agency, once the COVID-19 PHE ends the parties will need to discontinue this disclosure unless the BAA expressly permits it.

The guidance lists the following circumstances in which a covered entity or its business associate may disclose PHI to a public health agency without the authorization of the patient:

  • When the disclosure is required by law
  • When the HIE is a business associate of the covered entity, or of another business associate, and intends to provide PHI for public health purposes. This disclosure is permitted if the business associate agreement (BAA) expressly permits or requires the HIE to disclose PHI to a public health agency. In addition, during the COVID-19 PHE, the HIE may disclose PHI for public health purposes whether or not the BAA expressly permits the disclosure. An example of this type of disclosure is an HIE which is a business associate of a covered entity transmitting test results to a public health agency.
  • When the HIE is granted authority by the public health agency (e.g., through a contract) to collect the information.

Except for disclosures required by law, covered entities must make reasonable efforts to limit PHI disclosed to public health agencies to the minimum necessary to accomplish the public health purpose. However, the covered entity may rely on the public health agency’s reasonable representations that the information it is requesting is the minimum necessary. This includes circumstances where the public health agency requests a summary record, such as a continuity of care document, as the minimum necessary PHI. Finally, during the COVID-19 PHE, an HIE may transmit to a public health agency PHI it received in its capacity as a business associate without first obtaining permission from the covered entity. In this event, the HIE must inform the covered entity within ten calendar days after the disclosure occurs.