In the wake of the recent Ebola outbreak, the U.S. Department of Health and Human Services (“HHS”) has issued a guidance on how the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) applies in emergency situations. The guidance attempts to strike a balance between preserving patients’ privacy rights and the need to disseminate information to protect public health. BakerHostetler recently provided privacy considerations for the health care industry in a Health Law Update focused on Ebola.
HIPAA has always permitted certain disclosures of patient health information when necessary to treat a patient or as necessary to protect the nation’s public health. For example, HIPAA allows the disclosure of protected health information without individual authorization to a public health authority, such as the Centers for Disease Control and Prevention (“CDC”), a local health department, or persons at risk of contracting or spreading disease. Recently, the Ebola epidemic in Africa and the first confirmed case of Ebola in the U.S. have put a spotlight on these privacy issues.
To help guide covered entities, the HHS bulletin provides additional clarification on the permitted uses of protected health information in emergency situations. For example, HHS reiterates that health care providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Along those same lines, HHS explicitly allows the disclosure of protected health information to disaster relief organizations such as the American Red Cross. While HHS generally recommends getting patient permission, the covered entity need not obtain permission if doing so would interfere with the disaster relief organization’s ability to respond to the emergency.
Health care providers should be mindful that an emergency situation does not provide carte blanche to disclose protected health information at will. HHS states that such disclosures must still comply with the “minimum necessary” rule and covered entities must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the intended purpose. In addition, at no point does an emergency situation alleviate a covered entity’s responsibility to safeguard patient health information, nor does it suspend the HIPAA Privacy Rule. Instead, the Secretary of HHS may waive sanctions and penalties against a covered entity that does not comply with certain provisions of the Privacy Rule, such as (a) the requirement to obtain a patient’s agreement to speak with family members or friends or to honor a patient’s request to opt out of the facility directory; (b) the requirement to distribute a notice of privacy practices; and (c) the patient’s right to request privacy restrictions or confidential communications. Keep in mind, these waivers are limited to the designated geographic area, valid only during the emergency period, and in effect for a limited duration of 72 hours.
Health care providers should also be mindful that state laws may further restrict the sharing of patient information, even in an emergency, and may not be pre-empted by HIPAA. If faced with treating an Ebola patient or other emergency situation, health care providers are encouraged to not only consult these HIPAA guidelines but to consider state law implications as well.