HIPAA Privacy Rule and COVID Explained: What Covered Entities Can Share, When

HIPAA Privacy Rule Overview

Who is covered and what counts as PHI

The HIPAA Privacy Rule governs how covered entities—health care providers, health plans, and health care clearinghouses—use and disclose Protected Health Information (PHI). PHI is any individually identifiable health information, including diagnoses, test results, and billing details, in any form. Business Associates that handle PHI on behalf of covered entities must follow comparable safeguards under written agreements.

Permitted uses and disclosures without patient authorization

HIPAA permits certain uses and disclosures of PHI without Patient Authorization. Core categories include treatment, payment, and health care operations; specific Public Health Activities; disclosures required by law; and limited situations to prevent or lessen a serious and imminent threat. During COVID-19, these existing pathways—rather than special exceptions—explain what you may share and when.

De-identified information

De-identified Information, stripped of specified identifiers or certified by an expert, is not PHI and may be used or shared freely. When full PHI is unnecessary, using de-identified or limited data sets reduces privacy risk while supporting analytics, planning, and reporting.

Disclosures for Treatment

What you can share

• Share PHI with other providers to diagnose, treat, or coordinate care, including referrals, consultations, and care transitions.
• Exchange relevant lab results, medication lists, allergy information, vital signs, and imaging needed to manage COVID-19 or related conditions.
• Use health information exchanges or e-prescribing systems to support timely treatment.

Key points for COVID care

• The Minimum Necessary Standard does not apply to disclosures for treatment. You should still avoid over-sharing, but you may send the data the receiving clinician needs to care for the patient.
• Business Associates (for example, EHR vendors or telehealth platforms) may access and disclose PHI as permitted in their agreements to support treatment workflows.
• Coordinate across settings—EMS, urgent care, hospitals, and post-acute providers—to ensure continuity for COVID-positive or exposed patients.

What to avoid

• Do not disclose PHI for non-care purposes (such as media inquiries or general curiosity) without Patient Authorization or another HIPAA permission.
• Do not include unrelated, highly sensitive details when a narrower treatment disclosure suffices.

Disclosures to Public Health Authorities

Who qualifies as a public health authority

Public Health Authorities are agencies or entities authorized by law to collect or receive PHI for preventing or controlling disease, such as state and local health departments or federal agencies. Sharing PHI with them for Public Health Activities does not require Patient Authorization.

COVID-related public health activities

• Reportable disease reporting, including confirmed or probable COVID-19 cases and test results, as required or authorized by law.
• Disclosures for contact tracing, case investigation, outbreak management, and vaccine monitoring conducted by Public Health Authorities.
• Reporting vital events, adverse events, or surveillance data to support community-level response.

Minimum necessary and documentation

• When disclosures are required by law, you must disclose what the law requires. When disclosures are permitted (not required), apply the Minimum Necessary Standard—send only the fields the public health program needs.
• Document your legal basis (required vs. permitted), the recipient authority, and what was disclosed to maintain compliance and audit readiness.

Disclosures to First Responders

When disclosure is allowed

• To prevent or lessen a serious and imminent threat to a person’s or the public’s health or safety, consistent with professional judgment and applicable laws.
• For treatment of the individual—e.g., sharing essential information with EMS responding to a 911 call.
• When another law requires or expressly authorizes the disclosure (for example, to law enforcement in defined circumstances).

Practical examples

• Alerting a responding EMS crew that a patient is suspected or confirmed to have COVID-19 so they can don appropriate PPE.
• Providing dispatch with clinically relevant cautions tied to a specific response, not broad lists of residents or mass data downloads.

Boundaries and safeguards

• Apply the Minimum Necessary Standard unless the disclosure is for treatment or required by law.
• Limit details to what first responders need for safety and care; avoid full charts or unrelated history.
• Log non-routine disclosures and verify recipient identity whenever feasible.

Disclosures to Family and Friends

Involvement in care or payment

You may share PHI with a patient’s family, friends, or caregivers involved in the patient’s care or payment when the patient agrees, is given the opportunity to object and does not, or when you use professional judgment to determine it is in the patient’s best interest (for example, the patient is incapacitated).

Notification purposes

You may disclose limited PHI to notify or assist in notifying family members, personal representatives, or others responsible for the patient’s care about the patient’s location, general condition, or death. Coordinate with disaster relief organizations as appropriate.

Tips for COVID scenarios

• Share only information directly relevant to involvement in care (e.g., isolation instructions, medication needs, discharge plans).
• If the patient objects, honor that choice unless another HIPAA permission applies.
• If a caller’s identity is uncertain, use call-back numbers, passcodes, or other verification before disclosing PHI.

Minimum Necessary Standard

What it means

The Minimum Necessary Standard requires you to limit PHI to the least amount needed to accomplish the intended purpose. Use role-based access, data field minimization, and policies for routine disclosures.

When it does and does not apply

• Applies: most public health, first responder (safety) disclosures, health care operations, and many internal uses.
• Does not apply: disclosures for treatment, disclosures to the individual, uses/disclosures pursuant to valid Patient Authorization, disclosures required by law, and compliance reviews by regulators.

Applying it during COVID

• For case reporting, transmit only required or requested data elements—avoid entire charts if not necessary.
• When advising first responders, share the minimum facts needed to protect them (e.g., suspected COVID status and necessary precautions), not full medical histories.
• Prefer De-identified Information for dashboards and public updates when individual-level PHI is unnecessary.

Safeguarding Patient Information

Administrative, technical, and physical safeguards

• Adopt clear policies for COVID-related disclosures, workforce training, and authorization workflows.
• Use secure channels (encrypted email or portals) and multifactor authentication for remote access to ePHI.
• Verify recipient identity, especially over phone or email, and log non-routine disclosures.
• Restrict workspace exposure: avoid hallway conversations, unsecured printouts, or shared screens during teleconferences.

Working with business associates

• Ensure Business Associate Agreements specify permitted Public Health Activities, incident reporting, and breach notification duties.
• Confirm vendors apply strong access controls, audit trails, and incident response aligned with your risk management program.

Using de-identified and limited data

• Prefer De-identified Information for research, analytics, and public reporting when feasible.
• When detail is needed but full identifiers are unnecessary, consider a limited data set with a data use agreement.

Conclusion

COVID-19 did not rewrite HIPAA; it activated existing pathways for sharing PHI responsibly. Use treatment, public health, and safety disclosures where appropriate; apply the Minimum Necessary Standard; and reinforce safeguards and Business Associate controls. When in doubt, narrow the purpose, verify the legal basis, and document what you shared and why.

FAQs

What is the HIPAA Privacy Rule and how does it relate to COVID?

The HIPAA Privacy Rule sets national standards for when PHI may be used or disclosed. During COVID-19, it permits sharing for treatment, specific Public Health Activities, required-by-law reporting, and limited safety disclosures without Patient Authorization. The same rule—not emergency-only waivers—guides what you can share and when.

When can PHI be shared without patient authorization during the COVID pandemic?

You may share PHI without authorization for treatment; with Public Health Authorities for disease control and reporting; when required by law; and to prevent or lessen a serious and imminent threat (such as protecting first responders). Apply the Minimum Necessary Standard unless the disclosure is for treatment, to the individual, required by law, or made under a valid authorization.

How does the Minimum Necessary Standard affect COVID-related disclosures?

It requires you to limit PHI to the least amount needed for the purpose. It applies to most public health and safety disclosures but not to treatment, disclosures to the patient, or those required by law. In practice, share only relevant fields—avoid full chart exports when a concise data subset suffices.

Can PHI be shared with family members during COVID?

Yes, if the patient agrees, does not object after being informed, or you determine it is in the patient’s best interest (for example, the patient is incapacitated). Limit disclosures to information directly related to the person’s involvement in care or payment, and verify identity before sharing.