HIPAA Compliance for Emergency Services Volunteers

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s workforce.  The question of what protected health information (PHI) may be disclosed to a volunteer first responder, and by a first responder, frequently arises in times of emergency. This article discusses HIPAA compliance for emergency services volunteers.

What are Covered Entity Volunteers?

Covered entity volunteers are individuals who work for a covered entity, but who are not paid for this work, Examples of covered entity volunteers are:

  • Volunteers who work at a nursing home to assist with patient feeding;
  • Volunteers who work at nursing unit in a hospital by routing calls to various departments
  • Volunteers who assist staff that provide healthcare treatment. These volunteers, for example, can respond to voice messages left by patients, by notifying the appropriate healthcare provider of the message’s contents.

Emergency Services Volunteers: When Can First Responders Receive PHI?

Covered entities may disclose PHI to emergency services volunteers who may have been exposed to COVID-19. Covered entities may disclose PHI to the first responder if the first responder is otherwise at risk of contracting or spreading COVID-19. For a covered entity to make any of these disclosures, the covered entity must be authorized by law to do so. Examples of laws allowing disclosures include state public health laws requiring notification as part of a public health intervention.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

For example, the Privacy Rule permits a covered county health department, in accordance with a state law, to disclose PHI to emergency services volunteers, police officers, firefighters, or other personnel who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19.

Under the Privacy Rule, a covered entity may also disclose PHI to prevent or lessen a serious and imminent threat to a person or the public, provided the disclosure is made to someone they believe can prevent or lessen the threat. The disclosure, in some instances, can be made to the target of the threat. 

For example, a covered entity, as allowed by state law, may disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, first responders, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public. The covered entity may do so, only if it believes disclosure is needed to prevent or minimize the threat of imminent disclosure to such personnel in the performance of their work. 

Emergency Services Volunteers: Can Emergency Services Volunteers Disclose PHI?

Under the Privacy Rule, the term “workforce” includes employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under the direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

Therefore, covered entity volunteers must comply with the HIPAA Privacy Rule and the HIPAA Security Rule to the same extent as paid healthcare workers do. 

Volunteer first responders, firefighters, and other emergency services may transmit or disclose PHI under certain circumstances. For example, under the Privacy Rule, a covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. 

What Can the EMS Dispatch Do with This Information? 

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has stated that the EMS dispatch  – whether it is a covered entity or not – may disclose information on the list to EMS personnel responding to any particular emergency call, so that they can take extra precautions or use personal protective equipment (PPE). Essentially, a dispatch may disclose PHI to a first responder, when necessary for the first responder to take appropriate precautions.

However, the covered entity may not post these contents publicly or distribute the list to the media. The list should not be distributed to the EMS personnel, rather the information should only be disclosed about the individual in question, on a per-call basis.

Another example of when a volunteer of a covered entity may disclose PHI is in the context of a 911 call. A 911 call center staffed by volunteers may ask screening questions about a patient with potential COVID-19 symptoms. The call center is allowed to inform the officer dispatched to the scene to allow the officer to take precautions to reduce exposure.

PHI may therefore be disclosed by volunteers in an emergency situation to allow law enforcement and other volunteers to take safety precautions.

Can a Covered Entity Share PHI with a Non-Covered Entity Like the Red Cross?

A covered entity may share protected health information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the Emergency.

Compliance for Emergency Services Volunteers: Conclusion

The HIPAA regulations apply only to covered entities (certain health plans, health care clearinghouses and health care providers, including volunteers for those providers) and business associates (generally, service providers that create, receive, maintain or transmit PHI for covered entities or other business associates). Other, non-covered entities are not entities’ workforces, by contrast, are not directly liable for complying with HIPAA. The American Red Cross, for example, is not restricted by the HIPAA Privacy Rule from sharing protected health information. A state law other than HIPAA may restrict such disclosure, but HIPAA itself does not.

For additional information on HIPAA disclosures to law enforcement, paramedics, and volunteer first responders, please click here