On May 4, changes to North Carolina’s communicable disease confidentiality law went into effect, including important modifications to the parts of the law that permit information to be released to law enforcement officials. Amendments to G.S. 130A-143 were included in one of the two bills enacted in early May 2020 to address the COVID-19 pandemic. S.L. 2020-3 (S 704), sec. 4.17. Unlike some provisions in the COVID-19 legislation, the changes to the communicable disease confidentiality law do not sunset—they are permanent.
This post briefly reviews how G.S. 130A-143 protects the confidentiality of communicable disease information, describes the changes the legislation made to the law enforcement provisions, and gives some examples of how the amended law provides for disclosures of information to law enforcement.
Communicable Disease Confidentiality: Background and New Legislation
G.S. 130A-143 states that all information or records that identify a person who has or may have a reportable communicable disease are strictly confidential, are not public records, and may be released only as provided by the statute. Information about COVID-19 is covered by this law.
When information is subject to G.S. 130A-143, the general rule is that it may not be released without the written consent of the individual who is the subject of the information. However, there are exceptions to the general rule that allow release without written consent for specified purposes, including a couple of exceptions that allow certain disclosures to law enforcement.
By its terms, G.S. 130A-143 is not limited to health care providers or medical records: it states that it applies to “[a]ll information and records, whether publicly or privately maintained,” that identify an individual who has or may have a reportable communicable disease. This is important to keep in mind because the law also applies to law enforcement officials and others who may acquire confidential communicable disease information.
Local health departments must comply with both G.S. 130A-143 and the federal HIPAA Privacy Rule, which allows some disclosures of information to law enforcement but directs covered entities to comply with state confidentiality laws as well. The interaction between HIPAA and state laws is complex, but the general rule is that HIPAA-covered entities must comply with both, and if one is stricter than the other, abide by the stricter law. G.S. 130A-143 is stricter than HIPAA with respect to disclosures to law enforcement. As a result, some disclosures to law enforcement that are allowed by HIPAA are not allowed under North Carolina law.
Disclosing Communicable Disease Information to Law Enforcement
Before it was amended by the COVID-19 legislation, G.S. 130A-143(7) authorized the North Carolina Department of Health and Human Services (NC DHHS) or a local health department to release confidential communicable disease information to law enforcement officials for the following purposes:
- To enforce the communicable disease control laws (G.S. Ch. 130A, Art. 6);
- To enforce the public health bioterrorism laws (G.S. 130A, Art. 22); or
- To investigate terrorism using nuclear, biological, or chemical agents.
The law restricts redisclosure by law enforcement officials who receive information under this provision, providing that the official “shall not” disclose the information further except:
- When necessary to enforce the communicable disease or public health bioterrorism laws;
- When necessary to conduct an investigation of a terrorist incident using nuclear, biological, or chemical agents; or
- When state or local public health officials seek the law enforcement official’s assistance in preventing or controlling the spread of disease, and expressly authorize the disclosure as necessary to that purpose.
The new legislation retains all of these provisions but moves them from paragraph (7) to a new paragraph, (7a).
The legislation also adds a new provision to new G.S. 130A-143(7a) that allows NC DHHS or a local health department to release information to a law enforcement official for the purpose of preventing or lessening a serious or imminent threat to the health or safety of a person or the public, but only to the extent that the disclosure is also permitted under the federal HIPAA Privacy Rule and is not otherwise permitted under G.S. 130A-143(4). Information released to a law enforcement official under this new provision is subject to the same redisclosure provisions described above.
The language of the new “serious or imminent threat” provision raises two questions: To what extent is such disclosure permitted under the federal HIPAA Privacy Rule? And when is disclosure not covered by this section because it is otherwise permitted under G.S. 130A-143(4)?
When does HIPAA allow disclosures to prevent or lessen a serious or imminent threat?
The pertinent provision of the HIPAA Privacy Rule allows a covered entity to disclose protected health information (PHI) when:
- The disclosing entity has a good faith belief that disclosure of the PHI is necessary to prevent a serious and imminent threat to the health or safety of a person or the public;
- The disclosure is made to a person reasonably able to prevent or lessen the threat, including the target of the threat; and
- The disclosing entity acts consistently with law and ethical standards.
It also provides that the good faith of the disclosing entity will be presumed. 45 C.F.R. 164.512(j). Further, disclosures made under this section are subject to HIPAA’s minimum necessary standard, which requires the disclosing entity to limit its disclosure to the amount of PHI that is necessary to accomplish the purpose of the disclosure. 45 C.F.R. 164.514(d).
The HIPAA Privacy Rule is enforced by the U.S. Department of Health & Human Services’ Office for Civil Rights (OCR), which sometimes provides guidance to HIPAA covered entities about how to comply with different provisions of the Privacy Rule. In March 2020, OCR released a bulletin that addressed certain HIPAA issues during the COVID-19 pandemic. Among other things, the bulletin provided a summary of HIPAA provisions that allow disclosures of information in emergency situations, including the serious and imminent threat provision. The bulletin stated:
Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. See 45 CFR 164.512(j). Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety. See 45 CFR 164.512(j).
While the March 2020 bulletin clarified that HIPAA’s serious and imminent threat provision could allow certain disclosures of PHI during the COVID-19 emergency, it also noted that such disclosures must be consistent with applicable law, including state statutes. At the time the bulletin was released, G.S. 130A-143 did not provide for releases of communicable disease information to prevent or lessen a serious and imminent threat in North Carolina.
The addition of a serious or imminent threat provision to paragraph (7a) allows these disclosures in some circumstances. Specifically, the provision allows such disclosures if:
- The disclosure is made by NC DHHS or a local health department to a law enforcement official;
- The disclosure is limited to the extent that such disclosure would be permitted by the 45 C.F.R. 164.512(j), the pertinent provision of the HIPAA Privacy Rule; and
- The disclosure is not otherwise permitted by G.S. 130A-143(4).
When is release of information otherwise permitted by G.S. 130A-143(4)?
G.S. 130A-143(4) allows disclosure of confidential communicable disease information when “[r]elease is necessary to protect the public health and is made as provided by the Commission [for Public Health] in its rules regarding control measures for communicable diseases and conditions.” This part of the statute may be opaque for those who do not normally study the communicable disease rules, but it has provided the authority for a number of disclosures that have been made during the COVID-19 response, including disclosures to law enforcement officials and other first responders.
Because COVID-19 is a new disease, North Carolina does not have communicable disease control measure rules that are specific to it, but that does not mean it is unaddressed by the control measure rules. Rather, COVID-19 falls generally under a rule that: (1) incorporates by reference CDC guidelines and recommended actions, and (2) provides principles for public health officials to use when they interpret or implement the control measures obtained from the CDC documents. 10A N.C.A.C. 41A .0201. Thus, if CDC guidelines provide for release of information, such release likely is covered under G.S. 130A-143(4).
In addition, another communicable disease control measure rule may authorize release of information about COVID-19 to law enforcement under G.S. 130A-143(4), depending on the particular facts. 10A N.C.A.C. 41A .0211 authorizes a local health department to “reveal the identity and diagnosis of a person with a reportable communicable disease or condition … which represents a significant threat to the public health to [specified persons] when disclosure is necessary to prevent transmission in the facility or establishment for which they are responsible.” The specified persons to whom such information may be released includes employers, a term that is broad enough to include law enforcement agencies, and “superintendents or directors” of certain institutions, including jails (which I interpret to mean the jail administrator).
When a disclosure to law enforcement is made under G.S. 130A-143(4) and the communicable disease control measure rules, it is not subject to the special redisclosure provisions of G.S. 130A-143(7a) that apply to the new “serious or imminent threat” provision and the other disclosures in that paragraph. Instead, the information is subject to the general rules of the communicable disease confidentiality statute: it is strictly confidential, not a public record, and may be released only as provided in G.S. 130A-143.
Examples of Releases of Information to Law Enforcement Under the Different Provisions
When may release be made under the new serious or imminent threat provision (G.S. 130A-143(7a)), versus the provision for releases that are necessary to protect public health and made as provided in the communicable disease control measure rules (G.S. 130A-143(4))? The answer to this question will certainly vary, and some circumstances will no doubt be more straightforward than others. Here are some examples that are based on questions about the law I have already received.
Disclosures to Law Enforcement Officials in their Role as Employers or Jail Administrators
A communicable disease control measure rule authorizes a local health department to disclose information about an individual diagnosed with COVID-19 to certain persons, including employers and jail administrators, “when disclosure is necessary to prevent transmission in the facility or establishment for which they are responsible.” 10A N.C.A.C. 41A .0211.
If a law enforcement officer has (or is suspected of having) COVID-19, this rule would allow a local health department to reveal the officer’s identity and diagnosis to the officer’s employer. When it makes such a disclosure, the local health department must instruct the employer in the necessity of keeping the information strictly confidential, as provided by G.S. 130A-143. I wrote more about disclosures to employers in this blog post.
The same rule allows a local health department to disclose the identity and diagnosis of a person with COVID-19 to a jail administrator, when disclosure is necessary to prevent transmission of the disease within the jail for which the administrator is responsible. A health department that makes such a disclosure should also take into account the requirements of the HIPAA Privacy Rule for disclosures to correctional institutions. HIPAA prescribes the limits for when such disclosures are permitted, but expressly allows disclosure when necessary to the health and safety of the officers, employees, inmates, or others at the correctional institution. See 45 C.F.R. 164.512(k)(5).
Disclosures made under this rule clearly fall under G.S. 130A-143(4): necessary to protect the public health and made as provided in the communicable disease control measure rules.
Disclosure to a 911 Call Center for Redisclosure to Law Enforcement and Other First Responders
I wrote a blog post about disclosures to first responders on March 24, before the communicable disease confidentiality law was amended. In the post, I relied on G.S. 130A-143(4) to conclude that a local health department could disclose specific COVID-19 information—including names and addresses of individuals known or suspected of having COVID-19—to 911 call centers, which could then redisclose information to law enforcement officers (and other first responders) when they were dispatched.
While I feel confident this conclusion was correct, both as a matter of law and because it was clearly necessary for the protection of health and safety during the pandemic, the route to reaching it was more akin to a trail of stepping stones than a paved path. It looked like this:
- G.S. 130A-143(4) allows releases of information that are necessary to protect the public health and that are made as provided by the North Carolina communicable disease control measure rules.
- 10A N.C.A.C. 41A .0201 is a communicable disease control measure rule that incorporates by reference CDC guidance.
- A March 10 CDC guidance document, Interim Guidance for Emergency Medical Services (EMS) Systems and 911 Public Safety Answering Points (PSAPs) for COVID-19 in the United States, addresses disclosure of information by 911 call centers to the first responders they dispatch. While the document’s title refers specifically to EMS, an introductory statement clarifies that the guidance applies to “all first responders, including law enforcement, … who anticipate close contact with persons with confirmed or possible COVID-19 in the course of their work.” The guidance includes a clear statement that first responders should be notified by the call center when they are dispatched to transport or care for a person with known or suspected COVID-19, to allow for use of appropriate personal protective equipment (PPE).
Several hours after I published my post, OCR released a HIPAA guidance document that addressed disclosures about COVID-19 to first responders, including law enforcement. The OCR guidance concluded that HIPAA-covered entities could disclose COVID-19 information to 911 call centers for redisclosure to first responders on a per-call basis. While this was consistent with my conclusions about allowable disclosures, it had a different rationale: the OCR guidance relied on HIPAA’s “serious and imminent threat” provision, which was not part of North Carolina’s communicable disease confidentiality law at the time.
Now that G.S. 130A-143(7a) provides a serious or imminent threat exception for disclosures to law enforcement, should local health departments rely on that provision or G.S. 130A-143(4) to determine whether disclosure may be made? The new legislation appears to make (7a) secondary to (4), but how this applies in practice may be difficult to sort out.
However, for purposes of disclosing information to 911 centers for redisclosure to law enforcement, it may not make much of a practical difference–both the CDC guidance (which a health department would rely on to make a disclosure under (4)) and the OCR guidance (which a health department would consult to determine the parameters of a disclosure under (7a)) lead to substantially similar results:
- Both allow a local health department to disclose information to a 911 call center, which may then redisclose it to law enforcement on a per-case basis.
- Neither allows a local health department to provide the health department’s list of individuals who have or may have COVID-19 directly to a law enforcement agency or officer: the CDC guidance provides only for the disclosure of information by 911/PSAPs to first responders upon dispatch, while the OCR HIPAA guidance explicitly states that HIPAA-covered entities “should not distribute compiled lists of individuals to [first responders], and instead should disclose only an individual’s information on a per-call basis.” The OCR guidance adds that sharing lists “would not ordinarily constitute the minimum necessary to accomplish the purpose of the disclosure (i.e., protecting the health and safety of the first responders from infectious disease for each particular call).”
In the present circumstances, I believe it is appropriate for local health departments to rely on the OCR guidance, which relies on the serious and imminent threat provision and provides specific examples of how it may be applied. I think this makes sense in part because the serious and imminent threat provision replaces the stepping stones I described above with a more straightforward path. However, because the new serious or imminent threat provision in the state law applies only to disclosures to law enforcement, those stepping stones are still very important for reaching conclusions about disclosures to other first responders. Full analysis of disclosures to others under G.S. 130A-143(4) is beyond the scope of this post, but I hope I have left you with that image: there are stepping stones that can be followed to reach conclusions about whether disclosure under that provision is allowed.
As the pandemic continues to unfold, there may well be other circumstances that allow disclosure of communicable disease information by N.C. DHHS or a local health department to a law enforcement official. If and when such circumstances arise, public health officials should consider both G.S. 130A-143(4) and new G.S. 130A-143(7a) in determining whether the release is allowed.
Disclosures under G.S. 130A-143(4) must be authorized by the communicable disease control measure rules, which may require public health officials to consult any of a number of CDC guidance documents. It’s important to be aware that CDC guidance on COVID-19 is rapidly expanding, and specific guidance documents may be replaced with updated recommendations as the disease is better understood or new strategies for managing it are adopted.
Disclosures under the new “serious or imminent threat” provision of G.S. 130A-143(7a) must be permitted by the pertinent part of the HIPAA Privacy Rule, 45 C.F.R. 164.512(j). In addition to consulting the rule itself, a public health official who is considering a disclosure under this provision should determine whether there is pertinent OCR guidance. The OCR is compiling its HIPAA and COVID guidance documents here.
New G.S. 130A-143(7a) authorizes N.C. DHHS or a local health department to release communicable disease information to a law enforcement official for any of the following purposes:
- To enforce the communicable disease laws (G.S. Ch. 130A, Art. 6);
- To enforce the public health bioterrorism laws (G.S. Ch. 130A, Art. 22);
- To investigate terrorism using nuclear, biological, or chemical agents; or
- To prevent or lessen a serious or imminent threat to the health or safety of a person or the public, to the extent such disclosure is permitted by HIPAA and is not otherwise permitted by G.S. 130A-143(4).
When a law enforcement official receives information under G.S. 130A-143(7a), the official shall not disclose the information further except when necessary to enforce the communicable disease or public health bioterrorism laws; when necessary to conduct an investigation of a terrorist incident using nuclear, biological, or chemical agents; or when state or local public health officials seek the law enforcement official’s assistance in preventing or controlling the spread of disease, and expressly authorize the disclosure as necessary to that purpose.
G.S. 130A-143(4), which is referenced in new paragraph (7a), allows disclosures of information when necessary to protect the public health, provided the release of information is made as provided in the state’s communicable disease control measure rules. This part of the law was unchanged by the new legislation. It has been a crucial provision in allowing a variety of disclosures of COVID-19 information and will continue to be important to allow disclosures to law enforcement as employers and operators of jails, as provided by 10A N.C.A.C. 41A .0211. Recipients of information under this provision must keep it strictly confidential as provided in G.S. 130-143.