Hurricane Harvey has been pummeling the Gulf Coast since Monday, with nearly 52 inches of rainfall in parts of Texas. The storm has displaced thousands of people from their homes and has resulted in over 30 reported deaths. Disasters like Hurricane Harvey impose significant challenges on healthcare providers and entities. Emergency rooms are inundated with patients seeking care or shelter. Some hospitals are forced to close and evacuate patients. Family and friends are frantically trying to obtain information to ensure their loved ones are safe.

Amid the chaos, many healthcare facilities face uncertainty regarding the proper disclosure of protected health information (PHI) under the HIPAA Privacy Rule. Although the HIPAA Privacy Rule cannot be suspended during emergencies, it contains certain provisions that can help to ease covered entities’ concerns. Additionally, the Secretary of the Department of Health and Human Services (HHS) can issue a limited waiver to enable covered entities to more effectively assist in relief efforts and patient care.

The HIPAA Privacy Rule contains several provisions that provide for expanded disclosure during emergency situations. For example, covered entities may disclose PHI to a public health authority, such as a state or local health department, authorized to use such information to prevent or control disease, injury, or disability. Further, covered entities may disclose PHI to anyone if necessary to prevent serious imminent danger to the health and safety of any person or the public. Finally, covered entities may disclose limited facility directory information and general information about a patient’s condition to the media or others upon a request for such information as long as the patient has not objected to its release. These disclosures are limited by the “minimum necessary” requirement, whereby the covered entity must make reasonable efforts to ensure the PHI disclosed is limited to the minimum necessary to accomplish the purpose of the disclosure.

In addition to the above exceptions for emergency situations, the Secretary of HHS may also issue a waiver of certain provisions of the HIPAA Privacy Rule if the President declares an emergency or disaster and the Secretary subsequently declares a public health emergency. In these instances, the Secretary may waive the requirements to: 1) obtain a patient’s consent to speak with family or friends involved in the patient’s care; 2) honor a request to opt out of the facility directory; 3) distribute a notice of privacy practices; 4) honor the patient’s right to request privacy restrictions; and 5) honor the patient’s rights to request confidential communications.

When a Secretary-authorized HIPAA waiver is issued, it only applies to covered entities in the emergency area and only lasts as long as the emergency period identified in the Secretary’s declaration. Further, it only applies to hospitals that have implemented a disaster protocol. Once the protocol is initiated, a hospital has 72 hours until compliance with the HIPAA Privacy Rule is again required. If the disaster or public health emergency declarations are terminated at any time, the waiver also terminates. Although limited, such waivers can help to significantly ease the burdens of covered entities during an already challenging time. Further, they may serve to facilitate a more efficient emergency response. With greater access to patient information first responders, public health officials, and providers can work together to maximize relief efforts.

For more information from HHS on the HIPAA Privacy Rule during Declared Emergencies see:

The Department of Health and Human Services: Hurricane Harvey & HIPAA Bulletin

Emergency Situations: Preparedness, Planning, and Response 

Disclosures for Emergency Preparedness – A Decision Tool