Sharing patient information with authorities shouldn’t cross privacy lines. Although we’re more than a year into dealing with the COVID-19 public health emergency (PHE), questions regarding patient privacy still arise on a regular basis. Check out some of the latest guidance from the Office for Civil Rights (OCR) surrounding sharing COVID-19 test results with authorities. Question: Is my office violating HIPAA rules for releasing patients’ protected health information (PHI) like COVID-19 test results to public health authorities during the public health emergency (PHE)? Are we supposed to wait for authorities to make a request or can we continue to automatically send the pertinent information? Expert answer: You probably are not violating any rules by doing this. The OCR recently released guidance for how covered entities can release data on health information exchanges (HIE) for purposes of public health. “OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency,” said OCR Director Roger Severino. According to the guidance, “The Privacy Rule permits a covered entity to disclose PHI through an HIE to a PHA for public health activities, and this permission does not require that the covered entity receive a direct request for PHI from the PHA if the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA.” The guidance continues, “For example, a city health department (a PHA) that is authorized by law to obtain COVID-19 related test results, and to track the overall health of the individuals tested over time, may contract with, or grant authority to, a regional HIE to receive summary records about individuals tested for the virus from local health care providers.” Resource: Find the full guidance at www.hhs.gov/sites/default/ files/hie-faqs.pdf.