In response to the recent Ebola outbreak and other events, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance regarding the use and sharing of patient information in emergency situations.  The guidance emphasizes that HIPAA requirements are not suspended during an emergency.  However, the Privacy Rule includes several provisions that affect the use and disclosure of patient information in emergencies.  Additionally, the Secretary of HHS may temporarily waive certain Privacy Rule provisions during emergencies, such as sanctions or penalties against providers that fail to comply with particular requirements.  OCR has created an interactive, online decision-support tool to assist covered entities, business associates, and others in determining how information may be accessed, used, or disclosed consistent with the HIPAA Privacy Rule in emergency situations.

In general, the HIPAA Privacy Rule prohibits covered entities (CEs) from disclosing protected health information (PHI) without written patient authorization.  However, the Rule contains numerous exceptions.  Most notably, a CE may use and disclose PHI for its own “treatment, payment, or health care operations,” and for the treatment activities of another health care provider.  “Treatment” includes the coordination of health care services by one or more providers, including consultation between providers and patient referrals for treatment. 

After giving the individual a chance to agree or object, CEs may use or disclose PHI in certain situations, including:

  • To the individual’s family, friends, or others involved in the individual’s care if the PHI is directly related to the person’s involvement with the individual’s care. 
  • To family, friends, or others involved in the individual’s care, or to disaster relief organizations such as the American Red Cross, to notify or assist in the notification of the individual’s location, general condition, or death. 
  • As part of a facility directory.  Thus, although health care providers may not affirmatively report to the media information about an identifiable individual without written consent, if asked about a patient by name, the provider may release limited directory information to confirm that the individual is a patient and provide general information about the patient’s condition (i.e., stable or critical).
  • In the above situations, CEs must generally give the identified individual an opportunity to object to the use or disclosure.  In emergencies, or if the individual is incapacitated or not present, the CE may use or disclose the PHI if it determines that doing so is in the individual’s best interests. 

CEs may use or disclose PHI without written patient authorization and without giving the individual an opportunity to agree or object in the following situations: 

  • For public health activities to public health authorities authorized to receive the information, such as the Centers for Disease Control and Prevention.  Thus, CEs may report actual or suspected cases of communicable diseases such as Ebola to these authorities. 
  • To persons who may have been exposed to a communicable disease or otherwise at risk of contracting or spreading the disease if the CE is authorized by law to notify the person. 
  • If “necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.”

A business associate (BA) of a covered entity may make the above disclosures on behalf of the CE or another BA to the extent authorized by the BA agreement.  In all cases, CEs and BAs must limit the use or disclosure of PHI to the “minimum necessary” to accomplish the intended purpose.