OCR Issues Bulletin for Medical Professionals Navigating HIPAA Rules in Emergency Situations

PUBLISHED: Sep 1, 2017
Relevant to: Ambulatory Care, Behavioral Health, Clinical Lab, Community Mental Health Centers, Critical Access Hospitals, Dialysis Facilities, Home Health, Hospice, Hospitals, Long Term Care, Medical Office/Clinic, Pharmacies

As emergency personnel and medical facilities undertake immediate action to ensure the safety of those affected by Hurricane Harvey, the Office for Civil Rights (OCR) continues to highlight how the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts and to assist patients in receiving the care they need, regardless of whether a waiver is granted. While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS has waived certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. (For more information see StayAlert! Notice published on August 30, 2017).

Even without a waiver, the HIPAA Privacy Rule always allows patient information to be shared for the following purposes and under the following conditions.

  • Treatment: Under the Privacy Rule, covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat another person (who might be, for example, affected by the same emergency situation). Treatment includes the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of 2 patients for treatment. See 45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and the definition of “treatment” at 164.501.
  • Public Health Activities: The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization. See the OCR bulliten, link below, for specific examples.
  • Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification: A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. See 45 CFR 164.510(b). Again, please see the OCR Bulliten for specific examples and case scenarios.
  • Imminent Danger: Health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health or safety. See 45 CFR 164.512(j).
  • Disclosures to the Media or Others Not Involved in the Care of the Patient/Notification: Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient. See 45 CFR 164.510(a).
  • Minimum Necessary: For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose. (Minimum necessary requirements do not apply to disclosures to health care providers for treatment purposes.)

See the complete OCR Bulletin for addition information. Included with today’s notice is an example policy about disclosure of protected health information during disaster relief efforts.

Want to read the full alert and receive alert emails?

Browse Additional Alerts