New Guidance on HIPAA Privacy during Emergencies
In light of the treatment of Ebola patients and other events, the HHS Office for Civil Rights has issued new guidance on sharing patient information under the HIPAA Privacy rule during emergency situations.
The guidance also is meant to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency, OCR cautions.
The privacy rule enables covered entities to disclose without patient authorization protected information necessary to treat the patient or a different patient, the agency explains. Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.
Covered entities also can disclose protected health information without individual authorization to public health authorities to prevent or control disease, injury, or disability; to report births and deaths; and to conduct public health surveillance, investigations or interventions. PHI also can be shared, at the direction of a public health authority, with a foreign government agency that is collaborating with the authority.
Further, individual authorization is not needed before notifying other persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations. The guidance tackles additional areas where PHI may be shared, including imminent danger and disclosures to media and others not involved in care of a patient and notifications.
The guidance also reaffirms disclosing the minimum necessary to accomplish the purpose, situations where business associates may make disclosures and the need even in an emergency situation to implement reasonable safeguards to protect PHI.
While the privacy rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the rule. These include waiving sanctions for not obtaining patient agreement to speak with family or friends, for not distributing notices of privacy practices, and for not honoring requests such as opting out of the facility directory, the right to request privacy restrictions and the right to request confidential communications.
The four-page guidance is available here.