In the wake of the recent Ebola cases, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has issued a new bulletin reminding HIPAA-covered entities and their business associates that the requirements of the HIPAA Privacy Rule still apply when sharing protected health information (PHI), even in emergency situations. Towards that end, OCR’s bulletin provides guidance on how covered entities can share, use, and disclose critical information under certain situations during a disaster. Hospitals and other covered entities subject to the HIPAA Privacy Rule should consider the bulletin and OCR’s additional guidance on HIPAA in emergency situations as part of any Ebola or disaster preparedness plan. Highlights of OCR’s bulletin include:

Sharing Patient Information in Emergency Situations: A covered entity may disclose a patient’s PHI without his or her authorization only as permitted or required by HIPAA. These situations include:

  • For treatment of patients;
  • For public health activities, such as:
    • sharing information with public health authorities, like the CDC or state or local health departments, that are authorized by law to collect/receive the information to prevent or control disease, injury, or disability;
    • sharing information with a foreign government agency at the direction of a public health authority;
    • sharing information with persons at risk of contracting or spreading a disease or condition, if authorized by law; and
  • To prevent or lessen a serious and imminent threat to the health and safety of a person or the public

In more limited circumstances, a covered entity may share a patient’s PHI with his or her family, friends, or other persons identified as involved in the patient’s care (or payment for the care) and disaster relief organizations. A covered entity generally may disclose information to the media only if the media requests information about a particular patient by name, if the information is limited to basic facility directory information (such as presence at the facility and general condition), and if the patient has had an opportunity to object or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient. Disclosure of additional information would require the patient’s written authorization. Of course, the covered entity also may obtain the patient’s authorization to use and disclose PHI for purposes not specifically permitted or required by HIPAA. 

Safeguarding Patient Information in Emergency Situations: A covered entity must make reasonable efforts to limit the PHI disclosed to that which is minimally necessary. A covered entity also must continue to implement reasonable safeguards to protect PHI, including maintaining the HIPAA Security Rule safeguards applicable to electronic PHI.

Business Associates: Business associates may make disclosures permitted under the Privacy Rule on behalf of their covered entities (or another business associate) to the extent authorized by its business associate agreement. Business associates also must continue to comply with the HIPAA provisions that apply to business associates, including  the HIPAA Security Rule requirements applicable to electronic PHI.

Limited Waiver: While the HIPAA Privacy Rule never is suspended, regardless of the emergency, the HHS Secretary may waive certain provisions and penalties as permitted by the Project Bioshield Act and the section 1135(b)(7) of Social Security Act. These waivers apply only to those certain HIPAA sanctions and penalties and can be authorized by the Secretary only after the President declares an emergency or disaster and the Secretary declares a public health emergency. If a waiver is issued, then the waiver only applies: in the emergency area and for the period identified; to hospitals that have instituted a disaster protocol; and for up to 72 hours following the hospital’s implementation of its disaster protocol.