How the HIPAA Emergency Plan Applies in Times of Disaster
By Stephen Trout, VM Racks
In September of 2018, the powerful tropical storm known as Florence slammed into the eastern seaboard, causing catastrophic flooding and leaving 53 deaths in its wake. With a peak wind intensity of 140 mph, the long-lasting storm became the wettest tropical cyclone recorded in the Carolinas, dumping as much as 36 inches of rain on Elizabethtown, North Carolina. A public health emergency was subsequently declared for North Carolina, South
Carolina, and Virginia.
Along with the general public, healthcare providers also faced significant challenges created by the massive storm. Effective communications – always a challenge in times of disaster – suffered as power outages spread. Yet even as torrential rains continued, many were plucked from the rising waters and were saved.
Imminent Dangers and Disclosures
From a HIPAA standpoint, it’s important to understand the implications of how health information is communicated when disasters like Florence happen. What protocols apply when emergency, life-saving actions are required? Is the Privacy Rule still applicable to such situations?
The guiding principle here is that the Privacy Rule is still in force during a public health emergency – unless sharing PHI without consent is necessary to assist in treatment and overall disaster relief efforts.
The HIPAA Privacy Rule was never intended to hinder life-saving missions, or efforts to ensure public health and safety. In fact, the Secretary of HHS will often choose to waive HIPAA sanctions and penalties for healthcare providers – as was the case with Florence.
A waiver from HHS was granted, allowing impacted hospitals and care providers to disclose PHI – without consent – that would otherwise have hindered emergent patients and the public from receiving the care and critical information needed.
Consider those who might need, during emergencies, to have legitimate, critical information shared with them. Disclosures could be:
- to a public health authority, such as the Centers for Disease Control and Prevention (CDC) or a state or local health department, whose purpose is to prevent or control disease, injury or disability.
- at the direction of a public health authority, to a foreign government agency
- to persons at risk of contracting or spreading a disease, to notify persons to prevent a serious and imminent threat, as necessary to prevent or lessen a serious or imminent threat to the health and safety of a person or the public
- disclosures to the media or others not involved in the care of the patient, providing basic information about the patient’s condition in general terms
Typically, HIPAA requires a healthcare provider or hospital to have a patient’s written consent to reveal their PHI. A waiver from HHS would allow for several instances where this written consent is not required, including:
- The requirement to obtain authorization from a patient to speak with family members or friends involved in the patient’s care;
- The requirement to honor requests to opt out of the facility directory;
- The requirement to distribute a notice of privacy practices;
- The patient’s right to request privacy restrictions; and,
- The patient’s right to request confidential communications
This type of HHS waiver specifically applies:
In the emergency area and for the emergency period identified in the public health emergency declaration; to hospitals that have instituted a disaster protocol; and for up to 72 hours from the time the hospital implements its disaster protocol.
In keeping with the spirit of HIPAA, a covered entity must still make reasonable efforts to limit the information disclosed. The “minimum necessary” is the key to PHI disclosures, and all covered entities should seek to maintain this critical balance.