The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) released a bulletin on Nov. 10 reminding entities covered under the Health Insurance Portability and Accountability Act (HIPAA) that the protections continue to be in effect during emergencies, including Ebola and other outbreaks. HHS wants to make sure healthcare providers are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in emergency situations.

The HIPAA Privacy Rule protects the privacy of patient health information, though appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

When It’s OK to Share Patient Information

  • Treatment: Covered entities may disclose protected health information (PHI) without patient authorization if necessary to treat the patient or another patient.
  • Public health activities: Covered entities may disclose PHI without patient authorization to ensure public health and safety. This includes sharing with a public health authority (such as the Centers for Disease Control and Prevention or a health department); with a foreign government agency at the direction of a public health authority; and with those at risk of contracting or spreading a disease or condition if so authorized by law.
  • Disclosure to family, friends and others involved in care or for notification: PHI may be shared with those identified by the patients as involved in their care. Information may also be shared as necessary in order to identify, locate or notify family members or those responsible for care about the patient’s location, condition or death.
  • Imminent danger: Healthcare providers may share PHI when needed to prevent or lessen serious and imminent threats to personal health or public safety when consistent with applicable laws and ethical conduct.
  • Disclosures to media or those not involved in care: Facilities may release limited information, such as acknowledgment that someone is a patient or his or her general condition, if the patient is inquired about by name and does not object.
  • Minimum necessary: With the exception of treatment purposes, covered entities must make reasonable efforts to limit the disclosed information to the “minimum necessary” to accomplish its purpose.  However, if the PHI is requested by a public health authority, covered entities may rely on the public health authority’s representation that the requested information is the minimum necessary.
  • Business associate: Business associates of covered entities may also make disclosures on behalf of a covered entity as permitted by the Privacy Rule so long as such disclosure is authorized by its business associate agreement.

What Could Change in an Emergency

If the president declares an emergency or disaster and the Secretary of HHS declares a public health emergency, specific provisions of the Privacy Rule may be waived. These provisions include:

  • Requirements to obtain a patient’s agreement to communicate with family or friends involved in the patient’s care
  • Requirements to honor requests to opt out of facility directories
  • Requirements to distribute notices of privacy practices
  • Patient rights to request privacy restrictions
  • Patient rights to request confidential communications.

The waiver would apply only to hospitals instituting disaster protocol in the emergency area for up to 72 hours.

For More Information

HIPAA and Public Health

HIPAA and Emergency Preparedness and Response

General information on understanding the HIPAA Privacy Rule