In response to the devastating Hurricanes Harvey and Irma that hit the United States earlier this year, the U.S. Department of Health and Human Services issued two partial waivers of HIPAA sanctions and penalties in areas affected. Now, following Hurricane Maria’s wreckage of Puerto Rico and the U.S. Virgin Islands, the government department has issued a third HIPAA waiver.
In all three cases of hurricane destruction, the waiver only applies to covered entities in areas where a public health emergency has been declared. Furthermore, the waiver only covers the 72 hours immediately following the implementation of the hospital’s disaster protocol.
The waiver is only effective for specific provisions of the HIPAA Privacy Rule. These include:
• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
• The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
• The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
• The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
• The patient’s right to request confidential communications. See 45 CFR 164.522(b)
When the 72-hour window elapses, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply. At this point, covered entities must comply with the above provisions of the Privacy Rule for all patients still under their care as normal.
Not every emergency warrants the waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule. However, the introduction of a waiver does offer some reassurance to covered entities that are operating in a disaster area that they will not accidentally violate HIPAA in the process of coordinating disaster relief.
The Department of Health and Human Services recently stated that in emergency situations, covered entities are permitted to share limited protected health information of patients even if a waiver has not been issued. They are not violating HIPAA when sharing information if it is in the best interests of patients to do so, helps identify patients, helps locate family members, and for public health activities. In the case of the latter, it is permissible to share PHI with public health authorities such as a state or local health department or the CDC for preventing or controlling disease, injury or disability.
Covered entities may also share PHI with the purposes of aiding in the treatment of either the patient or another person who may be affected by the same situation. They may also share PHI to help with the coordination or management of healthcare, such as sharing PHI with other healthcare providers or when referring patients for treatment – 45 CFR §§ 164.502(a)(1)(ii), 164.506(c)
PHI can be shared with anyone, as necessary, to prevent or lessen a serious or imminent threat to the health and safety of a person or the public. For example, PHI may be shared with an individual if that person is able to lessen or prevent the threatened harm. Such disclosures can be made without the patient’s permission. It is left to the discretion of the covered entity to decide the nature and severity of the threat to health – 45 CFR 164.512(j).
Disclosures can be made to family, friends, and other individuals involved in a patient’s care, and information can be shared to help identify, locate, and notify family members, guardians, or others responsible for a patient’s care – 45 CFR 164.510(b).
If unauthorised individuals make a request to view PHI, and these individuals are not associated with patient care, a HIPAA-covered entity is permitted to disclose “limited facility directory information”. This means that they can provide general information about the patient such as whether they are in critical or stable condition, are deceased, or have been treated and have left the facility, provided the patient has not requested the information be kept private. Requests of this nature are most commonly made by media sources.
All disclosures of PHI must be limited to the “minimum necessary” information to achieve the purpose for which the information is disclosed, as outlined in HIPAA’s Privacy Rule. At all times, even in emergency situations, the HIPAA Security Rule requirements apply and covered entities must continue to ensure administrative, physical, and technical safeguards are in place to preserve the confidentiality, integrity, and availability of PHI.