The Secretary Alex Azar of the HHS has a public health emergency declared in the states of Texas and Louisiana because of Hurricane Laura, and in California because of the continuing wildfires.
HIPAA Rules continue to be in force during public health emergencies. But the HHS Secretary can opt to waive some HIPAA Privacy Rule provisions as per the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.
Aside from declaring the public health emergencies, the HHS Secretary has announced the waiver of sanctions and penalties against hospitals in relation to these HIPAA Privacy Rule provisions:
- 45 CFR 164.510(b) – The requirement to get a patient’s consent to discuss with family members or friends engaged in the patient’s care.
- 45 CFR 164.510(a) – The requirement to keep a patient’s request not to be included in the directory of the facility.
- 45 CFR 164.520 – The requirement to give patients a notice of the hospital’s privacy practices.
- 45 CFR 164.522(a) – The patient’s right to ask for restrictions in privacy.
- 45 CFR 164.522(b) – The patient’s right to ask for private communications.
Only hospitals established in the states with public emergencies are excused from the sanctions and penalties for not complying with the above-listed HIPAA provisions. Also, the waiver will only be effective in the time period of the declared public health emergency.
The waivers are just applicable to hospitals with established disaster protocol for up to 72 hours since the institution of the disaster protocol. As soon as the Presidential or Secretarial emergency declaration is over, the waivers will not apply any more and hospitals should comply with all HIPAA Privacy Rule provisions. That is true even though the 72-hour time period is not yet over.
In times of public health emergencies, it is permitted under the HIPAA Privacy Rule to share patient information for treatment, billing, and medical operations.
It is also allowed to share patient data for public health activities so that public health authorities can perform their public health assignment. A public health authority like the Centers for Disease Control and Prevention can access patient data to avert or control disease, disability or injury.
The HIPAA Privacy Rule additionally allows sharing patient data at the order of a public health authority to a foreign government institution and to individuals in danger of getting or spreading a disease or health condition if allowed by other laws, which permit a covered entity to inform such people to avert or control the propagation of the disease or implement public health interventions or research.
It is also permitted to disclose data to loved ones, friends, and other people engaged in the care of the patient and for notification. Healthcare providers can share patient data with any person if necessary to avoid or minimize any serious and impending threat to the health and safety of an individual or the public, in line with applicable regulations, and standards of ethical conduct of the provider.
Restricted disclosure of patient data to the media and any person not associated with patient care may be permitted, pending the receipt of a request with the provided name of the patient. However, patient data is restricted to facility directory information to confirm that a person is one of the patients at the facility and the condition of the patient (stable or critical, treated and released or deceased).
In all cases, healthcare providers must follow the minimum requirement. Disclosures must be limited to the least amount of data required to accomplish the purpose for which the data is being used.