How COVID-19 Regulations Affect HIPAA

As the COVID-19 pandemic swept across the world, everything, including public safety standards, changed. In order to protect health and safety, private and public organizations have worked together to enforce rules to help slow the spread of coronavirus. As protective measures are put in place, the debate has begun over public protection versus individual privacy. 

A point of conflict has come from the health sector regarding HIPAA, the Health Insurance Portability and Accountability Act, which protects the private health information of individuals. 


HIPAA was established in 1996 to regulate the way that healthcare organizations can use, store, and protect personal health information. It protects medical records from being shared without permission from the patient. 

With the introduction of contact tracing and the disclosure of COVID-19 cases to alert those who may have come into contact with those infected, federal organizations enable emergency provisions that allow patient information sharing in certain cases. This has raised some concerns about patient privacy. 

HIPAA Protections

HIPAA is designed to protect all personally identifiable health information that is used, created, stored, or transmitted by an organization that is required to comply with HIPAA. Organizations that must comply with HIPAA include healthcare providers, pharmacies, hospitals, dentists, psychologists, and any business that works with an organization that uses protected health information. 

Health information that is protected includes identifiers that show who the patient is, such as names, fates, medical record numbers, phone numbers, photographs of the face, Social Security numbers, and more. 

In order to comply with HIPAA, an organization must never disclose this information, but they should also use safeguards when this information is created or stored, whether digitally or physically. Many companies use specialized healthcare IT services to ensure their digital PHI is securely stored and complies with HIPAA standards.

How Do Public Health Emergencies Affect HIPAA Regulations?

The HIPAA Privacy Rule includes provisions that allow organizations to disclose the minimum personal health information needed under certain conditions during a public health emergency.

COVID-19 has been declared a public health emergency, so these exceptions do apply to some current circumstances.

  • When the disclosure is required in order to provide treatment. HIPAA allows a covered facility to share information about an individual with COVID-19 with emergency medical transport personnel and to provide treatment while a patient is transported to the emergency department.  
  • When the notification is required by law. HIPAA permits a covered entity, like a hospital, to disclose information about an individual with a positive COVID-19 test to public health officials. This works with state law to report confirmed or suspected cases to health officials. 
  • When others are at risk. An entity covered by HIPAA may disclose health information to a first responder, caregiver, family member, or others who may have been exposed to the virus or someone who may be at risk. 

Along with continuing to defend situations where personal health information can be disclosed under HIPAA, it has also been stated by the Health and Human Services Office for Civil Rights that it will not penalize those with HIPAA violations that have been in good faith during the pandemic. 

All opinions expressed on USDR are those of the author and not necessarily those of US Daily Review.