The U.S. Department of Health and Human Services (HHS) issued a bulletin Nov. 10, reiterating privacy rules that govern the sharing of patient information by certain covered entities, including health care providers. Hospitals, health plans, and other covered entities that transmit patient information electronically must do so in accordance with the limitations of the Health Insurance Portability and Accountability Act (HIPAA). In the bulletin, HHS reminds covered entities that these provisions still apply during public health emergencies. Under HIPAA, covered entities may share limited patient information for the purposes of treatment, public health, and imminent danger. Covered entities are also permitted to make limited disclosures to family and acquaintances of the patient, as well as to the media.
In addition to these limited types of disclosure, the secretary of HHS is authorized to waive specified provisions of HIPAA if the president declares an emergency or disaster and HHS declares a public health emergency. The bulletin notes that the secretary of HHS may waive the following requirements:
- obtaining a patient’s agreement to communicate with family members or friends involved in the patient’s care
- consenting to a patient request to be excluded from the facility directory
- distributing a notice of privacy practices
- the patient’s right to request privacy restrictions
- the patient’s right to request confidential communications
Waiving these provisions applies only to hospitals in a designated emergency area that have put in place a disaster protocol. The waiver is in effect for up to 72 hours from the time the hospital initiates its disaster protocol.
Please contact Xiaoyi Huang, JD, director of policy, at firstname.lastname@example.org or 202.585.0127 with questions.