The Department of Health and Human Services (“HHS”) recently issued relief and other helpful guidance about dealing with Protected Health Information (“PHI”) in the wake of disasters like Hurricane Harvey.  You can review this guidance here.

Waiver of Certain Provisions under the Privacy Rule

It is important to remember that HIPAA’s Privacy Rule continues to apply during public health or other emergencies caused by natural disasters.  The Secretary of HHS may, however, waive certain provisions under the Privacy Rule for health care providers (but not all covered entities) that operate in areas that have received disaster declarations by the President.

If such a waiver is issued, it only applies:

• In the emergency area identified in the public health emergency declaration;
• To health care providers that have instituted a “disaster protocol”; and
• For the shorter of:
  • 72 hours after the disaster protocol is implemented; or
  • The emergency period identified in the public health emergency declaration.

Most recently, Secretary Tom Price issued declarations of public health emergencies in Texas (available here) and Louisiana (available here).  As part of these public health emergencies, the following provisions of the Privacy Rule have been waived for health care providers in Texas and Louisiana:

• The requirement to obtain a patient’s agreement to speak with family members or friends involved with the patient’s care.
• The requirement to honor a patient’s request to opt-out of the health care provider’s facility directory.
• The requirement to distribute Notices of Privacy Practices.
• A patient’s right to request privacy restrictions.
• A patient’s right to request confidential communications.

Other Helpful Reminders

The guidance issued by HHS also provides helpful reminders of when PHI may be permissibly disclosed, without a patient’s authorization, under the Privacy Rule:

• Treatment. Covered entities may disclose PHI as necessary to treat the patient, or treat another person (e.g., another person who may be affected by the same emergency situation).
• Public Health Activities. Covered entities may disclose PHI to public health authorities (e.g., the Centers for Disease Control and Prevention, or other state or local health departments) that is necessary to carry out the authority’s public health mission.
• Family, Friends, and Others Involved in a Patient’s Care. Covered entities may disclose PHI to certain individuals—including disaster relief organizations, like the American Red Cross—involved in the patient’s care.  Verbal permission may be required from patients who are not unconscious or incapacitated.  In certain situations, limited PHI (i.e., limited facility directory information) may be disclosed to the media or other individuals not involved in the patient’s care.
• Imminent Danger. Covered entities may disclose PHI to anyone necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

In the event that PHI is disclosed under a situation described above (except for treatment), covered entities should remember that the disclosure of PHI is subject to HIPAA’s minimum necessary rule.

Emergency Access

While it is not specifically addressed in the recently issued guidance, covered entities must also establish and implement procedures that allow the covered entity to access electronic PHI in the event of an emergency.  So, it is important—especially in response to natural disasters—for covered entities to maintain an up-to-date emergency access or back-up plan.