OCR clarifies permissible HIPAA disclosures during emergency situations
The Office for Civil Rights (OCR) this week reminded covered entities (CE) of regulations surrounding permissible disclosures of protected health information (PHI). The notification, sent on October 3 to OCR’s listserv, came in the wake of a mass shooting in Las Vegas on October 2.
Providers generally may not disclose a patient’s PHI to those not directly involved in the patient’s care. Disclosures to individuals directly involved in the patient's care should be limited to the minimum necessary. However, healthcare professionals are not the only individuals involved in patient care. Providers may disclose PHI to a patient’s family, friends, or other individuals identified by the patient.
A CE may also share PHI as necessary to help locate and identify individuals and notify family members, guardians, or other individuals responsible for the patient’s care. This provision allows CEs to disclose PHI to notify not only family and loved ones, but also the police, the press, or the public at large.
A CE should always try to obtain verbal permission from patients before disclosing PHI; however, if the patient is unconscious or unable to respond, providers are permitted to use their professional judgment that such a disclosure is in the patient’s best interest.
A CE may also share PHI with disaster relief organizations including the American Red Cross, if such organizations are authorized by law or charter to assist in disaster relief. These organizations may obtain information on the patient’s location, general condition, or death, and may use this information to assist in notification efforts. It is not required to obtain the patient’s permission if doing so would interfere with the disaster relief organization’s ability to respond.
Although large-scale natural disasters might warrant a formal waiver of some HIPAA rules, emergency events such as mass shootings can generally be covered by HIPAA’s permissible disclosure rules. In the aftermath of Hurricanes Harvey, Irma, and Maria, OCR temporarily waived certain HIPAA requirements in the affected areas.
However, OCR did not feel it was necessary to issue a waiver after the 2016 mass shooting in Orlando. Due in part to widespread confusion about whether a HIPAA waiver might be required in Orlando, OCR issued updated guidance on permissible disclosures in January. The guidance clarified that disclosures to a loved one who is not married to the patient or otherwise recognized as a relative are generally permissible under the same the conditions and circumstances as disclosures to a spouse or other relative. Providers may not discriminate on the basis of sex or gender identity.