The Department of Health and Human Services’ Office for Civil Rights OCR, has, following the recent attacks in Las Vegas, moved to issue a clarification on HIPAA Rules regarding disclosures to family, friends and other people.
In the aftermath of Hurricane Irma and Hurricane Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the regions where both hurricanes occurred. Such a waiver is often, but not in every instance , issued following a natural disaster like this when it has been deemed a public health emergency.
For example, the OCR did not issue a HIPAA Privacy Rule waiver in the aftermath of the attack in Las Vegas, and neither was a waiver issued following the 2016 Orlando shootings. OCR HIPAA waivers are normally not issued for other ‘man-made disasters’. Healthcare groups involved in the treatment of those affected by the Las Vegas shootings were required to adhere with the HIPAA Privacy Rule.
In the reminder issued about HIPAA Rules on disclosure of private information to family, friends and other individuals, OCR commented that the HIPAA Privacy Rule permits healthcare groups to disclose PHI to family, friends and other people that have been identified by a patient as being involved in his or her treatment. PHI may also be accessed to help identity or locate people involved in a patient’s treatment or to notify them of the patient’s location, health status or death.
In the case of an emergency, covered bodies should try to gain verbal permission from the patient to share data, although when this is not possible, such as when a person is incapacitated, it is let open to the professional judgement of the covered body to decide whether sharing data is in the patient’s best interest.
With natural disasters, PHI may need to be given to disaster relief organizations to help with disaster relief efforts. While permission should be sought, it is not necessary if obtaining permission would negatively affect the organization’s response to the emergency.
The HIPAA Privacy Rule allows covered bodies to advise the media about a specific patient’s general health condition (critical, stable, deceased, or treated and released) if a request is made about a patient that is referred to by name, provided the patient has not previously objected to the sharing of such data, in which case the patient’s request should be respected.
Any sharing of other private data, such as test results, details of an illness or other health information must generally only be shared if authorization has first been received from the patient in writing.
Whenever PHI is shared, the minimum necessary standard applies and any PHI made available must be limited to the minimum necessary information to fulfill the purpose for which the information is shared.
The provisions of the HIPAA Privacy Rule are outlined in: 45 CFR 164.510(b) – Disclosures to family, friends, and other individuals involved in a patient’s treatment; 45 CFR 164.510(a) – Disclosures to the media and individuals not involved in a patient’s care; 45 CFR 164.508 – HIPAA authorizations; 45 CFR §§ 164.502(b) and 45 CFR §§ 164.514(d) – The minimum necessary standard.