HIPAA FAQ – Disclosures in Emergency Situations2020-09-08T13:30:11-04:00

HIPAA FAQ – Disclosures in Emergency Situations

Is the HIPAA Privacy Rule suspended during a national or public health emergency?2020-09-09T00:05:17-04:00

No; however, the Secretary of HHS may waive certain provisions of the Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

What provisions may be waived

If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule:

  1. the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b))
  2. the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
  3. the requirement to distribute a notice of privacy practices (45 CFR 164.520)
  4. the patient’s right to request privacy restrictions (45 CFR 164.522(a))
  5. the patient’s right to request confidential communications (45 CFR 164.522(b))

When and to what entities does the waiver apply

If the Secretary issues such a waiver, it only applies:

  1. In the emergency area and for the emergency period identified in the public health emergency declaration.
  2. To hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.
  3. For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location. See 45 CFR 164.510(b)(4).

Can health care information be shared in a severe disaster?2020-09-10T20:22:21-04:00

Providers and health plans covered by the HIPAA Privacy Rule can share patient information in all of the following ways:

TREATMENT: Health care providers can share patient information as necessary to provide treatment.

Treatment includes:

  • sharing information with other providers (including hospitals and clinics),
  • referring patients for treatment (including linking patients with available providers in areas where the patients have relocated), and
  • coordinating patient care with others (such as emergency relief workers or others that can help in finding patients appropriate health services).

Providers can also share patient information to the extent necessary to seek payment for these health care services.

NOTIFICATION: Health care providers can share patient information as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the individual’s care of the individual’s location, general condition, or death.

The health care provider should get verbal permission from individuals, when possible; but if the individual is incapacitated or not available, providers may share information for these purposes if, in their professional judgement, doing so is in the patient’s best interest.

  • Thus, when necessary, the hospital may notify the police, the press, or the public at large to the extent necessary to help locate, identify, or otherwise notify family members and others as to the location and general condition of their loved ones.
  • In addition, when a health care provider is sharing information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, it is unnecessary to obtain a patient’s permission to share the information if doing so would interfere with the organization’s ability to respond to the emergency.

IMMINENT DANGER: Providers can share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public — consistent with applicable law and the provider’s standards of ethical conduct.

FACILITY DIRECTORY: Health care facilities maintaining a directory of patients can tell people who call or ask about individuals whether the individual is at the facility, their location in the facility, and general condition.

Of course, the HIPAA Privacy Rule does not apply to disclosures if they are not made by entities covered by the Privacy Rule. Thus, for instance, the HIPAA Privacy Rule does not restrict the American Red Cross from sharing patient information.

Go to Top