HIPAA Considerations for Law Enforcement during the COVID-19 Pandemic

HIPAA Considerations for Law Enforcement during the COVID-19 Pandemic


During the COVID-19 pandemic, information regarding the proper and legal disclosure to law enforcement of protected health information (PHI) of individuals confirmed or suspected of having COVID-19 has been a topic of concern.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule does allow healthcare providers and/or other associated healthcare entities to disclose an individual’s PHI to law enforcement as it relates to COVID-19 infection, exposure, or any other reasonably pertinent information without a signed HIPAA Authorization by the individual.

Disclosure of COVID-19 related PHI to law enforcement
is intended to prevent and control the spread of COVID-19 as well as protect the health and safety of first
responders as they carry out their essential duties during
the pandemic.

Understanding the HIPAA Privacy Rule
The HIPAA Privacy Rule, originated in 1996, gives privacy protections to individuals relating to any health information in the possession of their health care providers and/or other associated health care entities (HIPAA-covered entities). HIPAA provides these HIPAA-covered entities with rules on when, and with who, a person’s PHI can or cannot be shared, affording the individuals they serve more rights regarding the distribution of their health information.

Law enforcement agencies are not HIPAA-covered entities and are not subjected to the privacy rules set forth in the HIPAA law nor privy to PHI. There may be exceptions such as when law enforcement agencies operate their own, independent emergency medical services, which would be considered HIPAA-covered agencies.

There are instances where HIPAA-covered agencies can disclose PHI to law enforcement. The most evident example is when a person signs a HIPAA authorization form giving permission to disclose PHI to law enforcement. However, PHI can be disclosed to law enforcement by HIPAA-covered entities in situations
where authorization was not signed. These situations
include when:

  • There is a good faith belief of an imminent threat to the health or safety of an individual or the public. This exception applies heavily in the midst of the COVID-19 pandemic.
  • Criminal activity is suspected or involved, such as when:
    • A crime occurring on the premises of a HIPAAcovered entity
    • Patient death
    • Off-site medical emergencies
    • Specific crime-related injuries such as gunshot or stab wounds
    • Identifying or locating a suspect, fugitive, material witness or missing person
    • Child abuse or neglect
  • A legal requirement such as a warrant, a subpoena or summons has been served.
  • A law enforcement official makes an administrative request to a HIPAA-covered entity, detailing reasons for the requested information.

A Discussion: PHI Disclosure to Law Enforcement
in the COVID-19 Pandemic

Specific examples where HIPAA-covered entities may
share COVID-19 related PHI with law enforcement
are when:

  • Emergency Medical Services (EMS) are responding to an incident along with law enforcement officers and are aware of a situation where close contact with a person who has tested positive for COVID-19 will occur.
  • HIPAA-covered entities have a good faith belief that disclosing the relevant PHI will minimize or stop a threat of imminent exposure of COVID-19 to any officers or other personnel.
  • Law enforcement officials have lawful custody of an individual or inmate and are requesting the COVID-19 related PHI to maintain the health and safety of that individual and other individuals in custody, correctional staff or others in law enforcement.
  • 911 Call Centers have used COVID-19 screening questions and believe an individual(s) may potentially have COVID-19.
    • Depending on whether the call center is a HIPAA covered entity or not may determine the level of PHI information that is given to law enforcement.

Additional COVID-19 HIPAA Considerations for Law

Consider the following when approaching HIPAA concerns in the COVID-19 pandemic.

  1. Understand the fact that HIPAA-covered entities may:
    • Only disclose limited and relevant PHI.
    • Assess whether PHI should be disclosed on a case by case assessment.
    • Not provide a public and/or comprehensive list of COVID-19 positive individuals.
  2. Reach out to the following institutions or individuals to help facilitate and streamline the message that COVID-19-related PHI can legally be given to law enforcement for their protection and preparedness:
    • Local, state, and federal government
    • Key political leaders (such as your state governor)
    • HIPAA-covered entities such as local hospitals, long-term care facilities, and local EMS
  3. Establish an in-agency system to ensure confidentiality of any PHI disclosed to law enforcement by HIPAA-covered entities. Some examples include designating a single person as the point of contact within the agency to handle COVID-19 PHI information. Divulge PHI information on a case-by-case assessment or remove individuals from any COVID-19 exposure list after a designated amount of time.
  4. Communicate your system of confidentiality within the law enforcement community to relevant stakeholders.


Related Content



Related Content

Scroll to preview content. Please sign in to read and get access to more member only content.



IACP - Loader Animation IACP - Loader Animation IACP - Loader Animation