Severe disasters present significant challenges for healthcare providers, raising concerns about how entities covered by HIPAA regulations can share individuals’ health information with friends, family, public health officials, and emergency personnel. As detailed below, the HIPAA Privacy Rule permits the sharing of patient information to support disaster relief efforts and to ensure patients receive necessary care. While the HIPAA Privacy Rule remains in effect during public health or other emergencies, the Secretary of HHS can waive certain provisions of the Privacy Rule under section 1135(b)(7) of the Social Security Act.

President Joseph R. Biden, Jr. has declared a state of emergency in Texas, and Secretary Xavier Becerra has declared a public health emergency to address the health impacts of Hurricane Beryl. In this context, the Secretary has exercised the authority to waive sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

  • Obtaining a patient’s agreement to speak with family members or friends involved in their care (45 CFR 164.510(b)).
  • Honoring a patient’s request to opt out of the facility directory (45 CFR 164.510(a)).
  • Distributing a notice of privacy practices (45 CFR 164.520).
  • Respecting the patient’s right to request privacy restrictions (45 CFR 164.522(a)).
  • Respecting the patient’s right to request confidential communications (45 CFR 164.522(b))..

When the Secretary issues a waiver, it applies under the following conditions:

  1. Within the designated emergency area and for the duration specified in the public health emergency declaration.
  2. To hospitals that have activated their disaster protocols.
  3. For a maximum of 72 hours from the time the hospital initiates its disaster protocol.

Once the Presidential or Secretarial declaration ends, hospitals must immediately adhere to all HIPAA Privacy Rule requirements for any patient still in their care, regardless of whether the 72-hour period has concluded.

Further Information on HIPAA Privacy and Disclosures During Emergencies

Even without a waiver, the HIPAA Privacy Rule allows patient information to be shared under specific circumstances. Here are the key purposes and conditions:

Treatment: Covered entities can disclose a patient’s protected health information without their authorization if it’s necessary for their treatment or for treating another person in a similar emergency. Treatment includes coordinating healthcare, consultations between providers, and patient referrals for further treatment (45 CFR §§ 164.502(a)(1)(ii), 164.506(c), and 164.501).

Public Health Activities: The HIPAA Privacy Rule acknowledges the importance of public health authorities and others responsible for public health and safety having access to necessary protected health information. Therefore, covered entities can disclose this information without individual authorization to support public health missions.

  • Public Health Authorities: Information can be shared with agencies like the Centers for Disease Control and Prevention (CDC), state or local health departments, or other authorized entities. This is to support efforts in disease prevention, injury control, or disability management. Examples include disease reporting, vital event reporting (like births or deaths), public health surveillance, investigations, or interventions. A “public health authority” can be a government agency at federal, state, territorial, or local levels, including entities acting under their authority (45 CFR §§ 164.501).
  • Collaboration with Foreign Agencies: Information can also be disclosed to foreign government agencies working with a public health authority, as directed by that authority (45 CFR 164.512(b)(1)(i)).
  • Risk Notification: If allowed by other laws, such as state regulations, covered entities may notify individuals at risk of contracting or spreading a disease or condition. This is necessary to prevent or control the spread of diseases or for public health interventions and investigations (45 CFR 164.512(b)(1)(iv)).

A covered entity is permitted to share a patient’s protected health information with their family members, relatives, friends, or others identified by the patient as involved in their care. Additionally, the entity can disclose information to help identify, locate, and notify family members, guardians, or caregivers about the patient’s location, general condition, or in the event of their death. This may involve notifying authorities like the police, the press, or the general public if necessary for notification purposes. (See 45 CFR 164.510(b)).

  • Covered entities should obtain verbal permission from individuals whenever possible, or reasonably infer that the patient does not object, before sharing their information. In cases where the patient is incapacitated or unavailable, covered entities may disclose information if they believe, based on their professional judgment, that it’s in the patient’s best interest.
  • For patients who are unconscious or incapacitated, healthcare providers can share relevant information with family, friends, or others involved in the patient’s care or payment for care, if it’s determined to be in the patient’s best interest. For example, a provider may decide it’s appropriate to inform an elderly patient’s adult child about their condition, but would generally not share unrelated medical history without permission.
  • Additionally, covered entities can share protected health information with disaster relief organizations like the American Red Cross, authorized by law or their charters to assist in disaster relief efforts. This allows coordination of notifications to family members or others involved in the patient’s care about the patient’s location, general condition, or death. Permission from the patient isn’t required in such emergency situations where obtaining permission would hinder the organization’s response.

Imminent Danger: Healthcare providers can share patient information with anyone necessary to prevent or lessen a serious and imminent threat to someone’s health or safety, as allowed by applicable laws and the provider’s ethical standards. This includes disclosing health information to family, friends, caregivers, and law enforcement without the patient’s permission. HIPAA defers to the professional judgment of healthcare professionals in assessing the nature and severity of the threat (See 45 CFR 164.512(j)).

Disclosures to the Media or Others Not Involved in Patient Care/Notification: Upon request for information about a specific patient, a hospital or healthcare facility may release limited facility directory information to confirm that an individual is a patient there. Basic information about the patient’s condition in general terms (e.g., critical, stable, deceased, treated and released) may also be provided, unless the patient has objected or restricted such disclosures. If the patient is unable to express preferences, disclosures must be in their best interest and consistent with prior expressed preferences (See 45 CFR 164.510(a)).

In general, without the patient’s written authorization or that of their legally authorized representative, affirmative reporting to the media or public about an identifiable patient, or disclosing specific details of treatment (such as test results or illness details), is not permitted under HIPAA regulations (See 45 CFR 164.508 for HIPAA authorization requirements).

Minimum Necessary Standard: For most disclosures, covered entities must make reasonable efforts to limit the information shared to the “minimum necessary” for the intended purpose. This requirement does not apply to disclosures to healthcare providers for treatment purposes. Covered entities can rely on representations from public health authorities or officials that the information requested meets the minimum necessary standard. Internally, covered entities should enforce role-based access policies to restrict access to protected health information to only those staff members who need it for their duties (See 45 CFR §§ 164.502(b), 164.514(d)).

Business Associates: Business associates of covered entities, including subcontractors, can make disclosures permitted by the Privacy Rule (such as to public health authorities) on behalf of covered entities or other business associates as authorized by their business associate agreements.

Safeguarding Patient Information: During emergencies, covered entities must maintain reasonable safeguards to protect patient information from unauthorized uses and disclosures, whether intentional or accidental. Additionally, covered entities and their business associates must adhere to the administrative, physical, and technical safeguards outlined in the HIPAA Security Rule specifically for electronic protected health information.

HIPAA Coverage: The HIPAA Privacy Rule governs disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities include health plans, healthcare clearinghouses, and certain healthcare providers engaged in electronic healthcare transactions, such as submitting healthcare claims to insurers. Business associates are typically individuals or entities (excluding a covered entity’s own workforce) that perform functions or provide services involving protected health information, such as data maintenance or transmission. This also includes subcontractors engaged in similar activities on behalf of other business associates. Entities or individuals not classified as covered entities or business associates are not bound by the HIPAA Privacy Rule, though they may choose to adopt its standards voluntarily. For example, the American Red Cross is not restricted by the HIPAA Privacy Rule in sharing patient information, although other state or federal regulations may apply.