- Healthcare providers can face numerous challenges during natural disasters, including adhering to HIPAA rules while working to provide proper patient care through an emergency. HHS recently released a bulletin to help guide covered entities through declared emergencies, such as the aftermath of Hurricane Harvey in August 2017.
The Privacy Rule specifies that patient information can be shared in disaster relief efforts and to help ensure patients receive necessary care, according to the bulletin. However, the Privacy Rule “is not suspended during a public health or other emergency,” HHS added. Instead, “the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.”
With Hurricane Harvey specifically, HHS clarified how certain information may be shared.
“The Secretary of HHS has declared a public health emergency in Texas and Louisiana following the President’s declaration that a disaster exists in the States of Texas and Louisiana. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule,” the bulletin stated.
This can include obtaining a patient's agreement to speak with family members or friends involved in the patient’s care is permitted under HIPAA, HHS asserted. Failure to comply with a patient’s right to request privacy restrictions was also a listed example where sanctions may be waived.
A waiver also only applies in the following situations:
- In the emergency area and for the emergency period identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol
- For up to 72 hours from the time the hospital implements its disaster protocol.
The bulletin added that covered entities must comply with all Privacy Rule requirements for patients under their care after a Presidential or HHS Secretary declaration has ended. This is true “even if 72 hours has not elapsed since implementation of its disaster protocol.”
“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” HHS maintained. “Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
HHS also pointed out the situations in which patient information can be shared.
For example, covered entities may disclose PHI “without a patient’s authorization” to treat the patient or another individual who may have been affected by the same emergency situation.
Ensuring public health and safety will also allow organizations to share PHI. This may include a hospital providing data to the Centers for Disease Control and Prevention or to a state or local health department.
A patient’s family, friends, or someone involved in the patient’s care may also receive patient information. It may be “necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death,” according to HHS. Family members, the police, the press, or the public at large could also be notified in emergency situations.
While an attempt should be made to receive verbal permission from a patient to share her PHI, HHS acknowledges it might not always be possible.
If the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest,” the bulletin stated.
“Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct,” HHS wrote. “Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.”
Business associates may also make disclosures “to the extent authorized by its business associate agreement.”
The minimum necessary is still a key aspect to such PHI disclosures, HHS noted. This is not applicable to treatment purposes, but organizations should make “reasonable efforts” to not reveal more information than is absolutely necessary.
“The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired),” HHS concluded. “Thus, for instance, the HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information. There may be other state or federal rules that apply.”
HHS released a similar bulletin in November 2014, following US concerns over the Ebola virus. Patient PHI should remain protected, even in emergency situations. Even so, HHS recognizes that appropriate uses and disclosures of the information may be made to treat a patient, to protect the nation’s public health, and for other critical purposes.
“For example, a covered entity may disclose to the CDC protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease,” the 2014 bulletin explained.