When disaster strikes, waivers from HIPAA may aid providers

Recent natural disasters caused massive disruption in typical treatment patterns, and relaxation of privacy requirements resulted in some confusion.


The seemingly non-stop move from one natural disaster or health emergency to another places a significant strain on the healthcare system. Providers either cannot reach a facility, whether hospital or otherwise, or patients overwhelm a particular facility. Additionally, patients from other locations may be swept up in an event and brought into the healthcare setting well away from their home.

At such a time providers and healthcare facilities should be focused solely on providing care and doing everything possible to reduce or mitigate harm. HIPAA should not enter into conscious thought or be used as an excuse or barrier to keeping individuals or family members up to date on what is happening.

While that is the ideal scenario, the reality is often far different.

Given the unfortunate reality that HIPAA is often misused, both at calm times and in times of stress, the Department of Health and Human Services and Office for Civil Rights have gone down the road, whether real or advertised, of “waiving” enforcement of HIPAA.

For example, following Hurricanes Harvey, Irma and Maria, limited waivers of HIPAA were announced. Each waiver stated that entities did not need to comply with the following, specified requirements of HIPAA: obtaining a patient’s consent before speaking with a family member or friend involved in their care; honoring a request to opt out of a facility directory; distributing a notice of privacy practices; honoring a request for privacy restrictions; and honoring a request for confidential communications.

In reality, only the waiver of notice of privacy practices requirements likely had any impact. Each of the other elements identified should not have posed much of an issue for an entity to satisfy.

Both speaking with family members or others involved in an individual’s care and listing in a facility directory are uses and disclosures that require giving the individual the opportunity to object. Further, both types of use and disclosure specifically lay out what to do in the event of an emergency.

In an emergency, created by incapacity or exigent circumstances, the covered entity can use reasonable judgment to disclose some of the permitted information. In the case of a family member or other person involved in the individual’s care, a disclosure would likely encompass confirming that the individual is present and potentially the condition that that individual is facing. A facility directory will contain much of the same information. Since such uses and disclosures only require the opportunity to object, why is a waiver from complying necessary?

Turning to honoring a request for privacy restrictions, except for the limited circumstance of withholding information when paid out of pocket, complying with a request for restrictions is purely discretionary. The HIPAA Privacy Rule does not obligate a covered entity to grant a patient’s request. If that is the case, why was a waiver necessary? Arguably, such a waiver creates a false impression of leniency.

The waiver on honoring a request for confidential communications is similar. The HIPAA Privacy Rule requires covered entities to permit an individual to request confidential communications and must accommodate reasonable requests. Even in an emergency, it is possible to document a request and put a notation in. It is also a bit of a stretch to think that an individual who has just survived a hurricane is thinking about restricting how a hospital or provider will follow up about treatment provided. As indicated, this waiver seems like much ado about nothing.

Turning to epidemics and treatment-related crises, the opioid crisis is the event grabbing the most headlines. Following the declaration that the opioid crisis constitutes a health emergency, HHS and OCR produced a document explaining how physicians and likely all covered entities can respond.

Many mainstream media outlets and others identified the statement as a relaxation of HIPAA requirements or a waiver. Such assertions are not accurate. Instead, the document outlines permissible uses and disclosures under the HIPAA Privacy Rule, without modification, that will enable appropriate information to be pushed out.

The guidance leans heavily on uses and disclosures that require the opportunity for an individual to object and uses and disclosures where no opportunity to object is necessary. The first category (opportunity to object) was discussed in connection with the hurricane waivers. An opportunity to object does not necessarily mean specifically asking the individual. It could arguably be accomplished by starting to engage in the use or disclosure in front of the individual and if nothing is done to stop the communication, then no objection is implied.

Uses and disclosures not requiring an opportunity to object constitute the larger category. This portion of the HIPAA Privacy Rule contains 12 scenarios, some of which are comprised of multiple sub-scenarios. The uses and disclosures include for public health activities, certain abuse situations, where the individual poses a serious risk of imminent harm to themselves or others, health oversight activities, and many others. The ability to use and disclose information without objection or consent fits within the fairly permissive scheme that HIPAA actually implements, but is so often not appreciated.

While only a fraction of the uses and disclosures that HIPAA really allows was discussed above, it should be clear that HIPAA is not the problem during a natural disaster or health crisis. Instead, as usual, the problem is a failure to fully appreciate how HIPAA operates. Instead of complaining about HIPAA, let us ensure that all are fully educated and trained.