Emergency situations and natural disasters, such as hurricanes, pandemics, or mass casualties, can quickly overwhelm healthcare systems. The last thing on people’s minds in those situations is complying with the HIPAA Privacy Rule.
Sometimes, but not always, HHS steps in and issues a waiver of some HIPAA requirements. For example, during Hurricane Florence, which ravaged the Carolina coast and produced devastating flooding, HHS Secretary Alex Azar waived sanctions and penalties under certain HIPAA Privacy Rule provisions in the areas affected by the emergency.
As a result, hospitals and other healthcare organizations were given a HIPAA waiver of up to 72 hours from the time they first implemented their disaster protocol.
But not all emergencies come with a reprieve from adherence to the federal law. During crises that do not include a HIPAA waiver, healthcare organizations that do not have a clear understanding of their obligations to patient privacy may risk liabilities and potential penalties for non-compliance.
During an emergency situation, healthcare organizations should seek a balance between disclosing patient information when necessary to respond to an emergency and protecting patient privacy. This balance should be incorporated into a health organization’s emergency preparedness and response plan.
HIPAA Privacy Rule Provides Leeway in Emergencies
The HIPAA Privacy Rule, even without a waiver, includes provisions designed to help healthcare organizations deal with emergencies.
“Those are the provisions that allow you to disclose information to law enforcement in order to identify people, to disaster assistance entities like The Red Cross, and to public health entities,” explained Melissa Markey, an attorney with the law firm of Hall, Render, Killian, Heath & Lyman.
“Those provisions apply all the time. You don't need to look for a waiver or notification from HHS to use those provisions,” Markey told HealthITSecurity.com.
Matt Fisher, a healthcare attorney at Mirick O'Connell, agreed that flexibilities are built into HIPAA. “HIPAA allows pretty broad use of PHI for treatment purposes or healthcare operations. Obviously, coordination of care in the instance of a hurricane or other natural disaster can be a big issue that needs the attention of healthcare organizations.”
In its Hurricane Florence bulletin, HHS said that the HIPAA Privacy Rule allows patient information to be shared without a waiver under the following conditions:
Treatment: Covered entities can disclose, without the patient’s authorization, PHI as necessary to treat the patient or to treat another person.
Public health activities: Covered entities can disclose PHI without authorization to a public health authority, to a foreign government at the direction of a US public health authority, and to people at risk of contracting or spreading a disease, state law permitting.
Disclosures to family, friends, or others involved in patient care: Covered entities can share PHI with a patient’s family, members, relatives, friends, or other people identified by the patient as involved in his or her care. They also can share information about a patient to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care. This information may include the patient’s location, general condition, or death.
Disclosures to prevent an imminent threat: Covered entities can share PHI to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public at large. A provider may disclose a patient’s PHI to anyone who can prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.
Disclosures to media or others not involved in patient care: Covered entities may release limited facility directory information to acknowledge someone is a patient and provide basic information about the patient’s condition in general terms. However, this requires that the patient has not objected to or restricted the release of that information or, if the patient is incapacitated, that the covered entity believes release of the information is in the best interest of the patient and is consistent with any prior expressed preferences of the patient.
Minimum necessary: Covered entities must make reasonable effort to limit the information disclosed to the “minimum necessary” to accomplish the purpose.
A business associate (BA) may disclose patient information as permitted by the Privacy Rule to a public health authority on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.
Dave Gacioch, a healthcare attorney with McDermott Will & Emery, explained that “much of what is included in the HIPAA rules turns on reasonableness under the circumstances, and disaster situations are very relevant to provisions that require reasonable safeguards.”
“As a general rule of thumb, my guidance to our healthcare provider clients would be that HIPAA largely still applies in an emergency. But do what's in the best interests of your patients and your community and that will usually put you on the right track to meet your compliance obligations in a disaster situation,” he told HealthITSecurity.com.
What Impact Do HIPAA Waivers Have on Hospitals?
In the case of natural disasters, pandemics, and mass casualty events, HHS can waive HIPAA requirements and penalties if the President declares an emergency or disaster and the HHS Secretary declares a public health emergency.
Emergencies during which HHS has issued a HIPAA waiver include the 2017 California Wildfires and Hurricanes Florence, Maria, Irma, Harvey, and Katrina.
HHS explained that the HHS Secretary can waive sanctions and penalties for the following HIPAA Privacy Rule provisions:
- Requirement to obtain a patient's agreement to speak with family members or friends involved in the patient’s care
- Requirement to honor a request to opt out of the facility directory of patients
- Requirement to distribute a notice of privacy practices
- Patient's right to request privacy restrictions
- Patient's right to request confidential communications
If the Secretary does issue a waiver, it only applies in the emergency area and for the emergency period identified in the public health emergency declaration. The waiver will only be applicable to hospitals that have instituted a disaster protocol, and it will only be good for up to 72 hours from the time the hospital implements its disaster protocol.
When a Presidential disaster declaration or HHS emergency declaration ends, a covered entity would need to comply with all HIPAA Privacy Rule requirements for any patient still under its care, even if 72 hours had not elapsed since the disaster protocol was implemented.
Fisher stressed that a waiver doesn’t suspend compliance with the HIPAA Privacy and Security Rules, but provides healthcare organizations with “a little bit more leeway” in sharing patient information.
Markey advised healthcare organizations to try to acquire patient consent to share his or her information even when a HIPAA waiver is in effect.
“If it is possible to accommodate patient privacy rights, it's best practice to still honor them. The waiver is intended to help hospitals that are in the middle of the emergency. But we still need to respect privacy as much as we possibly can,” she said.
Planning Is the Best Solution in Emergencies
Planning is the best approach for healthcare organizations to ensure HIPAA compliance during an emergency. Organizations should develop and implement an emergency preparedness and response plan that contains instructions on how to comply with the HIPAA Privacy Rule and what to do if HHS issues a waiver.
“Just because there's an emergency doesn't mean that HIPAA should be fully disregarded,” observed Fisher. “Obviously, you're going to be running and operating under more stressful circumstances. If you prepare ahead of time, then you're not going to be figuring things out on the fly and you’ll be ready to hit the ground running.”
To help healthcare organizations include HIPAA compliance in their emergency plans, HHS has developed a decision tool.
The tool focuses on the source of the information being disclosed, the entity to whom the information is being disclosed, and the purpose of the information being disclosed.
HHS advises organizations to start with the question that is most relevant to their emergency preparedness planning needs and follow the information flow to find the appropriate answer. HHS has also provided a process flow at-a-glance chart to graphically display how the tool works.
HHS stressed that the tool does not address other federal, state or local privacy laws that may apply in specific circumstances.
Because the decision-making tool focuses on issues relevant to emergency preparedness, it does not present all the uses and disclosures permitted by the Privacy Rule, nor does it discuss all the rule's requirements, HHS explained.
Gacioch recommended that HIPAA compliance be considered as part of an organization’s broader disaster response or emergency operations plan.
“Focus that plan on how you're going to take care of your patients and serve your community in a time of need, but factor in HIPAA considerations where possible consistent with those broader goals,” he said.
“HIPAA doesn't go away during disasters, but organizations are well-served if they plan and prepare for disasters before they occur and act during disasters in a way that puts their patients’ and communities' needs first. It will be difficult for regulators to subsequently challenge actions that meet that standard,” Gacioch concluded.