HIPAA, Civil Rights, and COVID-19
We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities. – Roger Severino, OCR Director.
During the COVID-19 public health emergency, the HHS Office for Civil Rights (OCR) has provided guidance that helps explain civil rights laws as well as how the HIPAA Privacy Rule allows patient information to be shared in the outbreak of infectious disease and to assist patients in receiving the care they need.
Does the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule allow a covered entity to share the name or other identifying information of an individual who has been infected with, or exposed to, the virus SARS-CoV-2, or the disease caused by the virus, Coronavirus Disease 2019 (COVID-19), with law enforcement, paramedics, other first responders, and public health authorities without an individual’s authorization?
Yes, the HIPAA Privacy Rule permits a covered entity to disclose the protected health information (PHI) of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities1 without the individual’s HIPAA authorization, in certain circumstances, including the following2:
- When the disclosure is needed to provide treatment. For example, HIPAA permits a covered skilled nursing facility to disclose PHI about an individual who has COVID-19 to emergency medical transport personnel who will provide treatment while transporting the individual to a hospital’s emergency department. 45 CFR 164.502(a)(1)(ii); 45 CFR 164.506(c)(2).
- When such notification is required by law. For example, HIPAA permits a covered entity, such as a hospital, to disclose PHI about an individual who tests positive for COVID-19 in accordance with a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials. 45 CFR 164.512(a).
- To notify a public health authority in order to prevent or control spread of disease. For example, HIPAA permits a covered entity to disclose PHI to a public health authority (such as the Centers for Disease Control and Prevention (CDC), or state, tribal, local, and territorial public health departments) that is authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury, or disability, including for public health surveillance, public health investigations, and public health interventions. 45 CFR 164.512(b)(1)(i); see also 45 CFR 164.501 (providing the definition of “public health authority”).
- When first responders may be at risk of infection. A covered entity may disclose PHI to a first responder who may have been exposed to COVID-19, or may otherwise be at risk of contracting or spreading COVID-19, if the covered entity is authorized by law, such as state law, to notify persons as necessary in the conduct of a public health intervention or investigation. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. 45 CFR 164.512(b)(1)(iv).
- When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. A covered entity may disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat, which may include the target of the threat. For example, HIPAA permits a covered entity, consistent with applicable law and standards of ethical conduct, to disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties. 45 CFR 164.512(j)(1).
- When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual, if the facility or official represents that the PHI is needed for:
- providing health care to the individual;
- the health and safety of the individual, other inmates, officers, employees and others present at the correctional institution, or persons responsible for the transporting or transferring of inmates;
- law enforcement on the premises of the correctional institution; or
- the administration and maintenance of the safety, security, and good order of the correctional institution.
For example, HIPAA permits a covered entity, such as a physician, located at a prison medical facility to share an inmate’s positive COVID-19 test results with correctional guards at the facility for the health and safety of all people at the facility. 45 CFR 164.512(k)(5).
General Considerations: Except when required by law, or for treatment disclosures, a covered entity must make reasonable efforts to limit the information used or disclosed under any provision listed above to that which is the “minimum necessary” to accomplish the purpose for the disclosure. 45 CFR 164.502(b).
In some cases, more than one provision of the HIPAA Privacy Rule may apply to permit a particular use or disclosure of PHI by a covered entity. The illustrative examples below involve uses and disclosures of PHI that are permitted under 45 CFR 164.512(a), 164.512(b)(1), and/or 164.512(j)(1), depending on the circumstances.
- Example: A covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch on a per-call basis. The EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment (PPE).
Discussion: Under this example, a covered entity should not post the contents of such a list publicly, such as on a website or through distribution to the media. A covered entity under this example also should not distribute aggregate lists of individuals to EMS personnel, and instead should disclose only an individual’s information on a per-call basis. Sharing the aggregate list or disclosing the contents publicly would not ordinarily constitute the minimum necessary to accomplish the purpose of the disclosure (i.e., protecting the health and safety of the first responders from infectious disease for each particular call).
- Example: A 911 call center may ask screening questions of all callers, for example, their temperature, or whether they have a cough or difficulty breathing, to identify potential cases of COVID-19. To the extent that the call center may be a HIPAA covered entity, the call center is permitted to inform a police officer being dispatched to the scene of the name, address, and screening results of the persons who may be encountered so that the officer can take extra precautions or use PPE to lessen the officer’s risk of exposure to COVID-19, even if the subject of the dispatch is for a non-medical situation.
Discussion: Under this example, a 911 call center that is a covered entity should only disclose the minimum amount of information that the officer needs to take appropriate precautions to minimize the risk of exposure. Depending on the circumstances, the minimum necessary PHI may include, for example, an individual’s name and the result of the screening
Covered entities should consult other applicable laws (e.g., state and local statutes and regulations) in their jurisdiction prior to using or making disclosures of individuals’ PHI, as such laws may place further restrictions on disclosures that are permitted by HIPAA.
Information about HIPAA Privacy and COVID-19 is available at https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf.
Information about disclosures of PHI to law enforcement officials is available in OCR’s HIPAA Guide for Law Enforcement at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf.
Information about uses and disclosures of PHI for public health is available at https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html.
1 Under HIPAA, “public health authority” means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate. 45 CFR 164.501 (definition of Public health authority).
2 The HIPAA Privacy Rule limitations only apply if the entity or individual that is disclosing protected health information meets the definition of a HIPAA covered entity or business associate. This guidance provides examples of disclosures from certain types of entities, some of which are covered by HIPAA, and others that may not be. While the entities in the example are covered under HIPAA, the examples are not intended to imply that all public health authorities, 911 call centers, or prison doctors, for example, are covered by HIPAA and are required to comply with the HIPAA Rules.
FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
1. What is telehealth?
The Health Resources and Services Administration (HRSA) of the U.S. Department of Health and Human Services (HHS) defines telehealth as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. Technologies include videoconferencing, the internet, store- and-forward imaging, streaming media, and landline and wireless communications.
Telehealth services may be provided, for example, through audio, text messaging, or video communication technology, including videoconferencing software. For purposes of reimbursement, certain payors, including Medicare and Medicaid, may impose restrictions on the types of technologies that can be used.1 Those restrictions do not limit the scope of the HIPAA Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications.
2. What entities are included and excluded under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
The Notification of Enforcement Discretion issued by the HHS Office for Civil Rights (OCR) applies to all health care providers that are covered by HIPAA and provide telehealth services during the emergency. A health insurancecompany that pays for telehealth services is not covered by the Notification of Enforcement Discretion.
Under the Health Insurance Portability and Accountability Act (HIPAA), a “health care provider” is a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. Health care providers include, for example, physicians, nurses, clinics, hospitals, home health aides, therapists, other mental health professionals, dentists, pharmacists, laboratories, and any other person or entity that provides health care. A “health care provider” is a covered entity under HIPAA if it transmits any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard (e.g., billing insurance electronically). See 45 CFR 160.103 (definitions of health care provider, health care, and covered entity).
By contrast, a health insurance company that merely pays for telehealth services would not be covered by the Notification of Enforcement Discretion because it is not engaged in the provision of health care.
3. What patients can a covered health care provider treat under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications and does it include Medicare and Medicaid patients?
This Notification applies to all HIPAA-covered health care providers, with no limitation on the patients they serve with telehealth, including those patients that receive Medicare or Medicaid benefits, and those that do not.
Information specifically about telehealth and Medicare is available at https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet and https://edit.cms.gov/files/document/medicare-telehealth-frequently-asked-questions-faqs-31720.pdf.
4. Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
5. Does the Notification of Enforcement Discretion regarding COVID- 19 and remote telehealth communications apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?
No, the Notification addresses the enforcement only of the HIPAA Rules. The Substance Abuse and Mental Health Services Administration (SAMHSA) has issued similar guidance on COVID-19 and 42 CFR Part 2, which is available at: https://www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2- guidance-03192020.pdf.
6. When does the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications expire?
The Notification of Enforcement Discretion does not have an expiration date. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.
7. Where can health care providers conduct telehealth?
OCR expects health care providers will ordinarily conduct telehealth in private settings, such as a doctor in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances.
If telehealth cannot be provided in a private setting, covered health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI). Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.
8. What telehealth services are covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency are covered by this Notification. This includes diagnosis or treatment of COVID-19 related conditions, such as taking a patient’s temperature or other vitals remotely, and diagnosis or treatment of non-COVID-19 related conditions, such as review of physical therapy practices, mental health counseling, or adjustment of prescriptions, among many others.
9. What may constitute bad faith in the provision of telehealth by a covered health care provider, which would not be covered by the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
OCR would consider all facts and circumstances when determining whether a health care provider’s use of telehealth services is provided in good faith and thereby covered by the Notice. Some examples of what OCR may consider a bad faith provision of telehealth services that is not covered by this Notice include:
- Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
- Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
- Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board); or
- Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
10. What is a “non-public facing” remote communication product?
A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication.
Non-public facing remote communication products would include, for example, platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Such products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants. In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point.
In contrast, public-facing products such as TikTok, Facebook Live, Twitch, or a chat room like Slack are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication. For example, a provider that uses Facebook Live to stream a presentation made available to all its patients about the risks of COVID-19 would not be considered reasonably private provision of telehealth services. A provider that chooses to host such a public-facing presentation would not be covered by the Notification and should not identify patients or offer individualized patient advice in such a livestream.
11. If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?
No. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services. For example, if a provider follows the terms of the Notification and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA), it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.
OCR believes that many current and commonly available remote electronic communication products include security features to protect ePHI transmitted between health care providers and patients. In addition, video communication vendors familiar with the requirements of the Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA). Providers seeking to use video communication products are encouraged to use such vendors, but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency.
Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
OCR does not endorse the use of or the security capabilities of any particular communications product.
FAQs on HIPAA and Telehealth* (printable version)
1 Medicare pays for many different services that involve use of these types of communications technologies. A fact sheet regarding Medicare payment and coverage is available at: https://www.cms.gov/files/document/03052020- medicare-covid-19-fact-sheet.pdf. Telehealth services paid by Medicare are the services defined in section 1834(m) of the Social Security Act that would otherwise be furnished in person but are instead furnished via realtime, interactive communication technology.
- March 2020 Civil Rights, HIPAA, and COVID-19 Bulletin*
- March 2020 HIPAA and COVID-19 Bulletin*
- February 2020 HIPAA and Novel Coronavirus*
* People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov.
Please view the HIPAA Emergency Preparedness page for more information on the release of protected health information for planning or response activities in emergency situations. In addition, please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.