Feds: Tenn. can share COVID-19 patient info without violating HIPAA
The COVID-19 pandemic sparked the state of Tennessee to exercise an option allowing it to share Protected Health Information (PHI) with first responders. A memorandum of understanding allows the Tennessee Department of Health to release the names and addresses of Tennesseans diagnosed with the virus. The option was originally granted by the U.S. Department of Health in 1996 but wasn't adopted and made effective effective until April 21, 2020.
"Public health departments have dealt with sensitive information like this for years; protocols have already been in place for years," said health care regulation and compliance attorney Shannon Coleman Egle, a partner at Kraymer Rayson.
The memorandum of understanding (MOU) was agreed upon between the Tennessee Department of Health and the Tennessee Emergency Communications Board to "prevent or control the spread of COVID-19, minimize risk of exposure to first responders and to keep those in custody safe."
"So, if they are going in a home where someone has tested positive, they need to know that it's crucial that they wear the proper PPE when they are going into that home," Egle said.
Many have asked whether the disclosure of patient information is a breach of the Health Insurance Portability and Accountability Act (HIPAA). The short answer is 'no,' according to Egle.
Egle told WVLT's Gwendolyn Ducre, "There is a specific exception in HIPAA that allows that. Furthermore, the Office of Civil Rights, which is the federal agency that enforces HIPAA, has specifically released guidance on this issue related to COVID-19, and it gives public health departments and other covered entities, hospitals, ect. the right to disclose information that would prevent or control the spread of the disease, and it does not allow the health department to disclose more than what's minimally necessary."
The MOU states that, in accordance with HIPAA, patient information can legally be disclosed to law enforcement, first responders, paramedics and public health officials when it's necessary to 'prevent or lessen a serious and imminent threat to the healthy or safety of a person or the public'.
, the HIPAA privacy rule "permits a covered entity to disclose the protected health information of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders and public health authorities without the individual's HIPAA authorization."
The MOU between the Tennessee Department of Health and the Tennessee Emergency Communications Board indicates that a patient's name and address will roll off the list after 30 days. When Tennessee's state of emergency for COVID-19 is lifted, the health department could stop releasing the list.
Under the MOU, first responders, paramedics and law enforcement officials are required to adhere to strict privacy rules including keeping the list confidential and secure, safeguarded from easy view of anyone not privy to the information and storing electronic versions on encrypted devices.
Recipients of the list are not allowed to re-disclose the list or any information it contains to anyone.
Furthermore, the MOU states, "Any employee or officer is not providing services to individuals appearing on the list or previously on the list with the same level of service and responsiveness that they provide in response to other individuals not appearing on the list."
Abbey Dennis, a spokesperson for the Tennessee Department of Commerce and Insurance, the department over the Emergency Communications Board, said a number of measures are taken to protect patient information.
"Each Emergency Communications District (ECD) has a unique login for their data and receives only those names and addresses within their jurisdiction. The program is scrubbed daily and individuals are removed after 30 days. The ECD may only notify the first responder that an individual at a given address is on the list when the first responder is answering a call at a listed address. ECD may disclose the name of a listed individual at that address only if the individual named on the list is also the individual needing the emergency care from the first responder. Information on the list may not be disclosed for any other purpose than the purpose detailed in the Memo of Understanding. If we learn that the system is being used inappropriately in any fashion, they will no longer receive the information," Dennis told WVLT News.
Knox County Health Department officials announced Monday that they voiced concerns about the state's plan to release patient names and addresses.
"It certainly is a concern that we've had, and we voiced that concern to the state when they made the decision to release this information as did several other health departments across the state, and health care providers, but the unified command felt it was important to share with law enforcement," a KCHD spokesperson said.
A spokesperson for TECB said, “With guidance from the U.S. Department of Health and Human Services, the Tennessee Emergency Communications Board implemented this procedure in coordination with the Governor’s Office and the Tennessee Department of Health for the limited purpose of safeguarding the health of Tennessee’s first responders. As we continue to combat the COVID-19 pandemic, this procedure will give first responders the notification to take extra precautions, including enhanced use of personal protective equipment (PPE), when serving COVID-19 patients across the Volunteer State, and allowing for the conservation of PPE on non-COVID-19 related response calls.”