In response to concerns about the spread of Ebola Hemorrhagic Fever, the United States Department of Health and Human Services (“HHS”), Office of Civil Rights (“OCR”) issued a bulletin clarifying the ways in which the HIPAA Privacy Rule applies in emergency situations. Designed to protect the privacy rights of patients’ protected health information (“PHI”), OCR is mindful that in certain events health care providers must balance privacy rights with the need to protect the nation’s public health. The Privacy Rule provides for certain exceptions on a daily basis:
* The Privacy Rule permits covered entities to share patient information without authorization when it is necessary to treat the patient (or to treat different patients).
* Public health authorities and other parties responsible for ensuring public health and safety have access to PHI. This includes possible disclosure to a public health authority, at the direction of a public health authority, or to individuals at risk of contracting or spreading a disease or condition.
* The Privacy Rule allows for disclosure to family, friends, and others identified by the patient as involved in the patient’s care. Covered entities can also share information about a patient as necessary to identify and locate family members or other individuals responsible for the patient’s care.
* In instances of imminent danger, health care providers may share PHI with anyone as necessary to prevent or lessen a serious or imminent threat to the health and safety of an individual or the public (with appropriate safeguards in place).
* The Privacy Rule also permits limited disclosure in certain instances to the media or others not involved in the patient’s care, although practitioners should exercise caution before suggesting reliance upon such exceptions to the Privacy Rule.
In a public health or other emergency, the HIPAA Privacy Rule is not suspended, but rather the Secretary of HHS may waive certain provisions pursuant to the Project Bioshield Act of 2004 (Pub. L. 108-276) and section 1135(b)(7) of the Social Security Act. Likewise, if the President of the United States declares an emergency or disaster and the Secretary of HHS declares a public health emergency, HHS may waive sanctions and penalties against any covered entity failing to comply with certain Privacy Rule provisions. Such waivers only apply (1) to the emergency area and for the specific emergency at issue, (2) to hospitals that have instituted disaster protocol, and (3) for up to 72 hours from the time the disaster protocol begins.
These rules are applicable only to covered entities and their business associates. OCR emphasized that the information set forth in the bulletin relates to sharing PHI in an emergency situation, but that an emergency itself does not eviscerate the protections afforded under the Privacy Rule.