skip to main content

March 12, 2020

By: Stephanie T. Eckerle and Susan E. Ziel

The Health Insurance Portability and Accountability Act of 1996[1](“HIPAA”) governs the disclosures of any protected health information (“PHI”) that is created or received and maintained by HIPAA covered entities and their business associates.  Health care providers must take into consideration specific provisions of HIPAA and other state and federal privacy laws when dealing with patients potentially impacted by COVID-19.  This must be balanced with a health care provider's duty to report cases of COVID-19, as is discussed herein. 

In light of COVID-19, the Office for Civil Rights (“OCR”) of the U.S. Department of Health and Human Services (“HHS”) published a bulletin[2] which describes how health care providers are permitted to disclose PHI under HIPAA in an outbreak of infectious disease or other emergency situation.  OCR highlighted the following permissible disclosures in the bulletin:   

  • Treatment:  Covered entities may disclose PHI as necessary and without an authorization, in order to provide treatment[3] to an individual patient or to a different individual patient.  Treatment includes the coordination or management of health care. Treatment also includes consulting between providers and referrals for treatment.
  • Public Health Authorities:  Covered entities may disclose PHI to a public health authority,[4] such as the CDC or a state or local health department, that is authorized by law to collect or receive such PHI, for purposes of preventing or controlling disease, injury or disability.  This is in line with the Indiana State Department of Health’s (“ISDH”) requirement that patients suspected of having COVID-19 should be immediately reported to ISDH.[5]
  • Foreign Government Agency: At the direction of a public health authority, a covered entity may disclose PHI to a foreign government agency that is acting in collaboration with the public health authority.
  • Persons at Risk: Covered entities may notify persons at risk of contracting or spreading a disease or condition if an applicable state or other law authorizes the notification.
  • Family Members: Covered entities may notify family members, relatives, friends or other persons involved in a particular  individual patient’s care.
  • Identification and Notification: Covered entities may make disclosures to identify, locate and notify family members, guardians or other responsible parties regarding an individual patient’s location, general condition, or death, and as necessary, involve law enforcement[6], the press, or the public at large to accomplish these notifications, all of which are subject to certain limitations.
  • Prevention of a Serious or Imminent Threat:  Covered entities may make disclosures as necessary to prevent or lessen a serious and imminent threat[7] to the health and safety of an individual or the public, consistent with applicable state laws or regulations or a court decision.  

In the review of this OCR Bulletin content, please note three additional considerations, as follows: 

  • For all of the above Disclosures, with the exception of those related to Treatment under (1) above, only the “minimum necessary” PHI should be released to accomplish the intended purpose.  
  • Covered Entities must also heed applicable state laws and regulations that concern the confidentiality of communicable disease records, and which are often more stringent than HIPAA. In the state of Indiana, for example, the Indiana Code permits certain authorized disclosures of PHI containing communicable disease records, but only (1) if de-identified and used for authorized statistical purposes, (2) with lawful consent, or (3) to the extent necessary to enforce public health laws.[8] 
  • Any disclosures to the media or through social media, to the public at large or to any individual not otherwise involved in an individual’s care, are not permitted at any time absent a written HIPAA-compliant authorization signed by the subject individual or his/her legal representative, or alternatively, the subject PHI has been completely de-identified in accordance with HIPAA requirements.[9]   To do otherwise may result in a breach[10] or other unauthorized disclosure in violation of HIPAA. 

Please contact Stephanie T. Eckerle or Susan E. Ziel if you have any questions or if you require additional information in managing your HIPAA compliance requirements. 



[1] Public Law 104-191.






[3] 45 CFR 164.501.



[4] 45 CFR 164.502(b).



[5] See ISDH, Guidance for Clinicians: Evaluating and Managing Patients with Suspected Novel Coronavirus (COVID-19),



[6] 45 CFR 164.512(f). 



[7] 45 CFR 164.512(j). 



[8] IC 16-41-8-1(b). 



[9] 45 CFR 264.514.



[10] 42 USC 13400.