- HHS Secretary Alex Azar has waived sanctions and penalties under certain HIPAA Privacy Rule provisions that apply to hospitals to enable greater sharing of information in response to Hurricane Florence making landfall on the East Coast.
Sanctions and penalties for violating certain HIPAA Privacy Rule provisions will be waived in the emergency area, for the time period identified in Azar’s public health emergency (PHE) declarations for the Carolinas and Virginia, and only for hospitals that have instituted a disaster protocol.
Qualifying hospitals can take advantage of the waiver for up to 72 hours from the time it implements a disaster protocol, unless the PHE declaration terminates first.
When the PHE declaration ends, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
The HIPAA Privacy Rule provisions covered by this waiver include:
- Requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care
- Requirement to honor a request to opt out of the facility directory
- Requirement to distribute a notice of privacy practices
- Patient's right to request privacy restrictions
- Patient's right to request confidential communications
“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” explained OCR in its Hurricane Florence and HIPAA bulletin.
“Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
OCR explained that even without a waiver, the HIPAA Privacy Rule allows patient information to be shared for the following purposes and under the following conditions.
Treatment: Covered entities can disclose without the patient’s authorization PHI about the patient as necessary to treat the patient or to treat another person.
Public health activities: Covered entities can disclose PHI without individual organization to a public health authority, such as the CDC, to a foreign government at the direction of a US public health authority, and to persons at risk of contracting or spreading a disease, state law permitting.
Disclosures to family, friends, or others involved in patient care: Covered entities can share PHI with a patient’s family, members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. Covered entities also can share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.
Disclosures to prevent an imminent threat: Covered entities can share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public at large. A provider may disclose a patient’s PHI to anyone who can prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.
Disclosures to media or others not involved in patient care: Covered entities may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.
Minimum necessary: Covered entities must make reasonable effort to limit the information disclosed to what is the “minimum necessary” to accomplish the purpose.
Business associates: A business associate may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.