Contact tracing is a tool used by health departments across the country to monitor the spread of not only COVID-19, but several infectious diseases.
This health tool, however, often raises questions about compliance with the Health Insurance Portability and Accountability Act and privacy rights of individuals.
HIPPA is a federal law designed to protect sensitive patient health information, such as medical records, created or held by a health care provider, health insurance company or other payor, says Heather Delgado, a partner at Barnes & Thornburg, a law firm with offices in Chicago, Ft. Wayne, Indianapolis and South Bend.
Delgado advises hospitals, health care providers and health care associations across the country, including Community Hospital in Munster, on regulatory, transactional and compliance matters, including HIPAA.
“Protected health information is individually identifiable health information, which means that the information includes an individual’s name, date of birth or other identifier, along with health information about the individual,” Delgado said.
Contact tracing generally does not fall under HIPAA because it does not involve a health care provider or insurance company, she says. This method for tracing infectious diseases may be implemented through entities not subject to HIPAA, such as a school.
“In addition, contact tracing does not generally require disclosing identifying information about the infected individual to individuals who came in contact with the infected individual, and no health information is disclosed along with those individuals’ names,” Delgado said.
For years, health departments and government agencies have used contact tracing to track infectious diseases, such as measles or mumps. State and local health departments, in particular, use contact tracing to track sexually transmitted diseases, including HIV/AIDS and other communicable diseases.
Though contact tracing is typically done by local health departments, Indiana launched a centralized contact tracing center to handle the number of COVID-19 cases, said Megan Wade-Taxter, spokeswoman for the Indiana State Department of Health.
When contact tracing, a health care provider may disclose protected health information if authorized by the patient, Delgado said. However, HIPAA includes an exception that permits the disclosure for purposes of public health reporting.
“Thus, a health care provider who diagnoses a patient with COVID-19 is permitted, under the public health exception, to report the case to the state or local health department, as required under most state public health laws,” Delgado said.
The health department takes it from there.
“All positive cases are required to be reported to the ISDH,” Wade-Taxter said. “As soon as a case is identified for contact tracing, an initial text message goes out to all phone numbers associated with the case, notifying them that the state’s contact tracing call center needs to reach them.”
Contact tracing protocols include collecting protected health information from individuals about symptoms and exposures to other people, including in the workplace. A person’s answers to these questions are entered into a protected database.
“When a close contact of someone who has tested positive is identified, that close contact is then notified of their possible exposure and instructed to quarantine per CDC guidance,” Wade-Taxter said.
Delgado says it’s important to note that hospitals and health care providers cannot disclose PHI to anyone besides health departments without the infected individual’s authorization.
“Although contact tracing is often not subject to HIPAA, state privacy laws may provide additional protections to this information,” she said. “Further, health departments that collect this information impose safeguards to protect the privacy and confidentiality of affected individuals and generally do not disclose names or other personal information.”
Be the first to know
Get local news delivered to your inbox!