skip to main content

March 26, 2020

By: Stephanie T. Eckerle and

The Office of Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“HHS”) recently published guidance clarifying the circumstances under which law enforcement, paramedics, other emergency personnel, and public health authorities[1] may disclose an individual’s protected health information (“PHI”) without the individual’s authorization. OCR provided the following exemptions under HIPAA that allow for disclosures of PHI, in light of COVID-19: 

  • When the disclosure is necessary to provide treatment, e.g. if emergency personnel will provide treatment to a skilled nursing facility resident while the resident is being transported from the nursing facility to a hospital;
  • When required by law, e.g. a covered entity may provide the PHI of an individual who tests positive for COVID-19 to public health officials, when state law requires such reporting of confirmed or suspected cases of COVID-19;
  • To notify a public health authority to prevent or control the spread of disease, e.g. a covered entity may disclose PHI to the Centers for Disease Control and Prevention (“CDC”), or state, tribal, local, or territorial public health departments, authorized by law to collect or receive PHI to prevent or control spread of disease, conduct public health investigations, public health surveillance, and public health interventions;
  • When first responders may be at risk of infection, e.g. a county health department may, in accordance with state law, disclose PHI to emergency personnel who may have encountered an individual who tested positive for COVID-19, to help prevent or control the spread of the disease; and
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, e.g. a covered entity may, in accordance with state law, disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, and mental health crisis services personnel, if the covered entity has a good faith belief that the disclosure is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.

Covered entities should remember that even when HIPAA allows for certain disclosures of PHI by a covered entity without the individual’s authorization, state privacy laws may still apply. Additionally, when disclosing PHI under HIPAA, except when required by law, or for treatment disclosures, a covered entity must make reasonable efforts to only disclose the “minimum necessary,” as defined under HIPAA, to accomplish the purpose of the disclosure. For further guidance on the use of PHI for public health activities, please see

If you have any questions about HIPAA compliance during COVID-19, or general privacy and security questions, please contact Stephanie T. Eckerle or Alexandria M. Foster.



[1] Under HIPAA, “public health authority” means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.