Severe disasters impose additional challenges on health care providers. Often questions arise about the ability of entities covered by the HIPAA regulations to share individuals’ health information, including with friends and family, public health officials, and emergency personnel. As summarized in more detail below, the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need. In addition, while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.
President Joseph R. Biden, Jr. has declared that an emergency exists in the state of North Carolina and Secretary Xavier Becerra has declared a public health emergency to address the health impacts caused by Hurricane Helene. Under these circumstances, the Secretary has also exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
When the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol. When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.
Continue to the full bulletin on HIPAA Privacy and Disclosures in Emergency Situations here.
Additional Resources:
- The Declarations of a Public Health Emergency (PHE) may be found at: https://aspr.hhs.gov/legal/PHE/Pages/default.aspx
- Please view the Waiver or Modification of Requirements under Section 1135 of the Social Security Act at: https://aspr.hhs.gov/legal/1135-Waivers
- For information about how the HIPAA Privacy Rule applies in a public health emergency, visit the OCR’S HIPAA Emergency Preparedness, Planning, and Response page (www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html) or you may use the HIPAA Disclosures for Emergency Preparedness Decision Tool (www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/decision-tool-overview/index.html).
- For information and resources for emergency responders/officials to help ensure individuals have equal access to emergency services, including language access and effective communication, please see this checklist for emergency responders: HHS OCR Emergency Preparedness Checklist for Ensuring Language Access and Effective Communication (www.hhs.gov/sites/default/files/lang-access-and-effective-comm-checklist-for-emergency-responders.pdf).
- For information about emergency requirements for long-term care facilities, visit the CMS Emergency Preparedness Rule page (www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Emergency-Prep-Rule.html)
* People using assistive technology may not be able to fully access the information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing [email protected].