Question: Is my office violating HIPAA rules for releasing patients’ protected health information (PHI) like COVID-19 test results to public health authorities during the public health emergency (PHE)? Are we supposed to wait for a request to be made or can we continue to just send the pertinent information? Washington, D.C. Subscriber Answer: Probably not. The Office for Civil Rights (OCR) recently released guidance for how covered entities can release data on health information exchanges (HIE) for purposes of public health. “OCR is issuing this guidance to highlight how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health, particularly during the COVID-19 public health emergency,” said OCR Director Roger Severino. “The Privacy Rule permits a covered entity to disclose PHI through an HIE to a PHA for public health activities, and this permission does not require that the covered entity receive a direct request for PHI from the PHA if the covered entity knows that the PHA is using the HIE to collect such information, or that the HIE is acting on behalf of the PHA,” the guidance says. “For example, a city health department (a PHA) that is authorized by law to obtain COVID-19 related test results, and to track the overall health of the individuals tested over time, may contract with, or grant authority to, a regional HIE to receive summary records about individuals tested for the virus from local health care providers,” the guidance explains. Resource: Find the entire guidance here www.hhs.gov/sites/default/files/hie-faqs.pdf.