HHS: Hurricane Harvey & HIPAA Bulletin
Written by Editor   
Thursday, September 07, 2017 05:39 PM

“Severe disasters – such as Hurricane Harvey,” the HHS notes, “impose additional challenges on health care providers. Often questions arise about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel.”  In the wake of Hurricane Harvey the HHS has released a Bulletin reviewing HIPAA regulations. Read the full bulletin for complete details. 

The bulletin notes that the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need.  While the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule, and following the President’s declaration that a disaster exists in the States of Texas and Louisiana the Secretary has exercised the authority to waive sanctions and penalties against covered hospitals.

But even without a waiver specifically covering entities such as doctors of chiropractic, the HIPAA Privacy Rule always allows patient information to be shared for the following purposes and under the following conditions:

Treatment Under the Privacy Rule

Covered entities may disclose, without a patient’s authorization, protected health information as necessary to treat the patient, including the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.

Public Health Activities 

The Privacy Rule permits covered entities to disclose needed protected health information (PHI) without individual authorization to, for example, a public health authority, such as the Centers for Disease Control and Prevention (CDC) or a state or local health department. 

Or to a “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. At the direction of a public health authority, to release PHI a foreign government agency that is acting in collaboration with the public health authority. 

Or to persons at risk of contracting or spreading a disease or condition.

Disclosures to Family, Friends, and Others Involved in an Individual’s Care and for Notification 

A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large. The covered entity should get verbal permission from individuals or otherwise be able to reasonably infer that the patient does not object, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest.

In addition, a covered entity may share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notification of family members or other persons involved in the patient’s care, of the patient’s location, general condition, or death. It is unnecessary to obtain a patient’s permission to share the information in this situation if doing so would interfere with the organization’s ability to respond to the emergency.

Imminent Danger 

Health care providers may share PHI with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health or safety.

Disclosures to the Media or Others Not Involved in the Care of the Patient 

Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information. 

Minimum Necessary 

For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the “minimum necessary” to accomplish the purpose.

Business Associates 

A business associate of a covered entity may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.

Safeguarding Patient Information

In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information

Source: https://www.hhs.gov/sites/default/files/hurricane-harvey-hipaa-bulletin.pdf?inf_contact_key=28005f4ce7d5e89e701ca713a7674988be62c7b1925eaa8de87ecbb3e5090f66