Information sharing between healthcare professionals is vital and during a pandemic like the one we are experiencing with COVID-19, sharing data is paramount. Information regarding the efficacy of certain treatment plans or the infection and hospitalization rate of the virus can be vital for saving lives.

However, even in these difficult times, the patient healthcare data privacy protections outlined under the Health Information Privacy and Accountability Act (HIPAA) are still in effect. Healthcare providers and business associates are expected to continue to follow the requirements of the Privacy Rule to maintain HIPAA compliance during the COVID-19 outbreak.

Related Reading:   3 Things for HIPAA Compliance When Returning to Normal Operations

Health Data Sharing During COVID-19

HIPAA’s Privacy Rule does include special provisions for information sharing during an outbreak of an infectious disease or another disaster scenario. We've outlined below the various scenarios in which the sharing of patient data without authorization is permissible.

Enabling Treatment and the Privacy Rule

The broadest category for the release of patient data is to enable the treatment of the patient or other patients. Healthcare providers can share patients’ medical records with other healthcare providers without patient consent in order to improve their ability to provide treatment.

Public Health Activities and HIPAA Compliance

Healthcare providers are also authorized to release patients’ personal health data without authorization in order to protect public health and safety. The HIPAA Privacy Rule allows the release of patient records without consent to:

  • Public Health Authorities (PHAs): National, state-level, local, or tribal government agencies that have responsibility for matters pertaining to public health
  • Individuals or Organizations: Entities or individuals can receive or collect this data if they are covered by a public health authority's contract or "grant of authority"
  • Foreign Government Authority: A PHA can authorize the release of healthcare data to a foreign government authority collaborating with that PHA
  • Individuals at Risk: State and other laws may authorize the release of healthcare data to individuals at risk of contracting or spreading the disease

What the Privacy Rule Says About Family, Friends, and Caregivers

The HIPAA Privacy Rule acknowledges the need to share patients’ care information with friends, family, and other caregivers. However, the intent is also to preserve the privacy of the patient. Sharing patient records with these parties is allowed in the following circumstances:

  • Verbal Consent: A patient must give verbal consent for sharing their data or, at the least, no indication of an objection
  • Patient’s Best Interest: If a patient is incapable of giving verbal consent (unconscious or incapacitated), a healthcare provider may share relevant information if it is in the patient’s best interest
  • Disaster Relief Organizations: Healthcare providers can share health information with organizations such as the American Red Cross for the purposes of notifying family and other caregivers
    • Consent is not required if it would impede disaster response efforts

Other Circumstances for Releasing Patient Health Data

Beyond providing treatment and sharing information with friends and family, the release of patient records or other healthcare data more widely is permitted in certain circumstances, such as:

  • Preventing a Serious and Imminent Threat: Healthcare providers can share a patient’s data with anyone who, in their professional opinion, can prevent or lessen a serious and imminent threat to the individual or the public
  • Media Releases: Unless the patient has objected, a healthcare provider can confirm that a patient is in residence and their general condition without explicit consent
    • More detailed information requires written consent or is permitted if the patient is incapacitated and revealing the information is in the patient’s best interest and is consistent with any previously expressed wishes of the patient

HIPAA applies to healthcare providers and business associates and other organizations are not required to follow these rules but may, optionally, do so.

During the COVID-19 outbreak, the requirements of the HIPAA Privacy Rule are still in place. However, the U.S. Department of Health and Human Services (HHS) acknowledges the importance of information sharing during a pandemic and has included explicit exceptions in the regulation.

Securing Patient Data During COVID-19

Healthcare providers and business associates should do their utmost to protect patient data during this crisis, and, even when authorized, should share the minimum possible amount of data required for a purpose (with the exception of treatment). For specifics on what constitutes the minimum possible amount of information in a given situation, the Department of Health and Human Services points those covered by HIPAA to the CDC.


Understanding HIPAA compliance during the Covid-19 outbreak can be difficult. We can help. Our team of HIPAA compliance experts stands ready to answer your questions.

For COVID-19 related security and compliance updates as well as general security updates, subscribe to this blog.

With Avertium, you get more rigor, more relevance, and more responsiveness. Don’t just comply, download our guide to HIPAA compliance today. Show no weakness.