skip to main content


COVID-19: Privacy Considerations for Health Care Providers

March 14, 2020

As health care providers meet the challenges of our current public health emergency, we thought it might be useful to provide, in question and answer format, a reminder regarding the legal and ethical responsibilities with respect to the privacy of patients and colleagues.

  1. How Should Providers Respond to Inquiries from Public Health Authorities?
    When your organization begins to get questions from “public health authorities” as to whether you have COVID-19 cases, make sure the entity requesting the information is, in fact, a “public health authority,” such as the CDC or a state department of health.  Other entities lacking an official public health mandate are less likely to be public health authorities for HIPAA purposes, despite potential representations to the contrary.  For example, municipal boards, school boards, or municipal employers may request disclosures of Protected Health Information (“PHI”), but in most instances they do not have public health matters as part of their official mandate, and so are not public health authorities.  If a bona fide public health authority is requesting the information, you may disclose PHI about specific patients, including individually identifiable information, without the patient’s authorization, and may rely on representations from the public health authority that it is requesting the minimum necessary amount of PHI for its public health purpose.
  2. How Should Providers Respond to Questions from the Media?
    Providers generally may not disclose PHI to the media even when there is a public health emergency. The U. S. Department of Health and Human Services confirmed this in a recently released bulletin, stating that “affirmative reporting to the media or the public at large about an identifiable patient, such as specific tests, test results, or details of a patient’s illness, may not be done without the patient’s written authorization.”  Thus, any notification to the media about a COVID-19 positive patient may not contain identifiable information about the patient or his or her treatment.  Providers can respond to media or other requests about a particular patient asked for by name, by releasing limited facility directory information to acknowledge an individual is a patient, and may provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released), but only if the patient does not object to the disclosure of such information.
  3. How Should Providers Respond to Requests for Information from Family and Friends?
    A provider may disclose PHI of a patient to family, friends, and others involved in the patient’s care, if it gets verbal permission from the patient, or otherwise is able to reasonably infer that the patient does not object, when possible.  Here, it is best to only disclose to family and friends that have been identified by the patient.  If the individual is incapacitated or not available, a provider may share information for these purposes if, in its professional judgment, doing so is in the patient’s best interest.
  4. May A Provider Notify Others of Potential Exposure?
    If a provider wishes to notify a person not named by the patient, or unknown to the provider as a family member or friend of the patient, then it may nevertheless choose to disclose PHI to that person if there is a serious and imminent threat to the person.  HIPAA defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety, and at this time there is no duty or obligation to notify others of potential coronavirus exposure, although that may change in the future.  Note too that this is an individualized determination for each situation, so that even if one disclosure is deemed serious and imminent by a health care professional, not all disclosures involving COVID-19 will necessarily be similarly serious and imminent.  In addition, in adhering to HIPAA’s minimum necessary standard, we think there are ways to make these notifications by revealing minimal, if any, PHI, without identifying the patient who has tested positive to the potentially exposed party.
  5. What Can You Disclose to Colleagues and the Workforce When Employees Test Positive?
    It is our recommendation that the provider make a determination about notification based upon the facts of each case.  Notifying employees and the workforce based on symptoms alone would be over-inclusive during cold and flu season, and having to issue whipsaw alerts and then rescissions of those alerts does not serve the interests of the provider organization or its employees.  Therefore, providers should begin to think about notifying its workforce and the employee’s co-workers when an employee is tested and has a confirmed positive test for COVID-19.  The specific response by providers regarding advising employees as to who should be tested will vary considerably based on how and when the employee is diagnosed, the role of occupational health services, employee wellness plans, self-funded vs. fully-insured health plans, unionized workforce or non-unionized workforce, and many other factors.
  6. How Should Providers Avoid Employee and Workforce Gossip?
    Providers should remind their employees that HIPAA basics such as confidentiality, role-based access, and authorized uses and disclosures of patients’ health information is still the expectation and the law. Role-based access means that not every provider employee is entitled to know the PHI of every hospital patient, and PHI needs to be used and disclosed only as authorized by HIPAA.  So if a provider's administrator, board member, local politician, prominent physician, or any recognizable person such as a neighbor, tests positive for COVID-19, that information is not gossip for the watercooler, lunch table, or Sunday supper.  The last thing a provider wants to do while responding to this public health emergency is open itself up to apparent, or actual, violations of HIPAA’s longstanding patient privacy protections.
© Shipman & Goodwin LLP 2021. All Rights Reserved.