Hipaa Emergency Exception: When Can Confidentiality Be Broken

The Hipaa Emergency Exception allows confidentiality to be broken in certain situations, but it's not a free pass to disclose patient information willy-nilly.

There are specific exceptions to confidentiality, such as when disclosure is necessary to prevent serious harm to the individual or others.

For instance, if a patient is at risk of harming themselves or others, confidentiality can be broken to prevent that harm.

In emergency situations, such as a natural disaster or a public health crisis, confidentiality can be broken to coordinate relief efforts or prevent the spread of disease.

The HIPAA Emergency Exception allows for a temporary waiver of certain patient privacy rules during emergencies. This exception is permitted under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act.

To qualify for the waiver, two conditions must be met: the President must declare an emergency or disaster, and the Secretary of HHS must declare a public health emergency. This is exactly what happened during the COVID-19 pandemic.

The waiver specifically allows covered entities, such as hospitals, to waive penalties and fines for non-compliance with certain provisions of the HIPAA Privacy Rule. These provisions include obtaining patient agreement to speak with relatives, honoring patient requests to opt-out of facility directories, distributing notices of privacy practices, and respecting patient requests for privacy restrictions and confidential communications.

The waived provisions are:

Here's a summary of the waived provisions:

The waiver only applies to hospitals that have instituted a disaster protocol and for up to 72 hours from the time the hospital implements its disaster protocol.

A covered entity is allowed to disclose PHI without a person's authorization in various circumstances, including incident to an otherwise permitted use and disclosure. This means that if a covered entity has already disclosed PHI for a permitted purpose, they can further disclose it for the same purpose.

For example, if a covered entity discloses PHI to a healthcare provider for treatment purposes, they can then disclose the same PHI to another healthcare provider involved in the same treatment. This is allowed because it's incident to the original permitted use and disclosure.

Here are some examples of permitted redisclosures:

Keep in mind that even though these redisclosures are permitted, they must still be made in accordance with the HIPAA Privacy Rule's requirements for minimum necessary disclosure and reasonable safeguards.

Revoking Individual Authorization is a crucial process that can be initiated under certain circumstances.

In the event of a data subject's death, the authorization can be revoked, as stated in Section 3.2.2.

The data controller must notify the data processor of the revocation, and the processor must cease processing the data.

Revocation of authorization can also occur if the data subject withdraws their consent, as explained in Section 2.1.

This can happen if the data subject decides they no longer want their data to be processed, and they notify the data controller in writing.

In some cases, the data controller may be required to delete the data, as specified in Section 3.3.1.

This is typically the case when the data is no longer necessary for the original purpose, and there are no other legal grounds for processing.

Redisclosure of information under Part 2 is a complex process that requires careful consideration of the exceptions outlined in the relevant legislation.

If the information is already in the public domain, it cannot be redisclosed under Part 2.

Exceptions to this rule include when the information is disclosed to a person who has a legitimate need to know, such as a journalist or a researcher.

However, even in these cases, the information cannot be redisclosed if it is subject to a non-disclosure agreement.

The redisclosure of information under Part 2 is also subject to the requirements of the Freedom of Information Act, which sets out the procedures for handling and disclosing information.

In some cases, the redisclosure of information under Part 2 may be permitted, such as when it is necessary for the purpose of a criminal investigation or prosecution.

The redisclosure of information under Part 2 is a serious matter that requires careful consideration of the potential consequences, including the risk of legal action.

In California, the law requires that a redisclosure notice be provided to patients if their medical records are disclosed to a third party, such as a family member. This notice must include the patient's right to request a copy of their records.

The law also requires that a redisclosure notice be provided in Oregon, where a healthcare provider must inform patients of their right to request a copy of their records if they are disclosed to a third party. This notice must be provided in writing.

In Washington state, the law requires that a redisclosure notice be provided to patients if their medical records are disclosed to a third party, unless the disclosure is for treatment or payment purposes. This notice must be provided in writing.

The laws in California, Oregon, and Washington state all require that a redisclosure notice be provided to patients, but the specific requirements for the notice may vary from state to state.

A covered entity is allowed, but not obliged, to use and disclose PHI without a person's authorization in certain circumstances.

These circumstances include disclosing PHI to the individual, unless required for access or accounting of disclosures.

You might be wondering when exactly a covered entity can disclose PHI to the individual. According to the HHS, this is allowed unless required for access or accounting of disclosures.

Treatment, payment, and healthcare operations are also permitted uses and disclosures of PHI. However, these uses and disclosures must be made to facilitate another party's activity and are subject to limitations.

Let's take a closer look at the specific exceptions allowed for treatment, payment, and healthcare operations.

Here are some examples of permitted uses and disclosures:

In the case of treatment, payment, and healthcare operations, the covered entity must only disclose the minimum necessary PHI to facilitate the other party's activity.

In emergency situations, HIPAA's emergency exception allows healthcare providers to disclose protected health information without patient consent. This exception is critical for saving lives.

For example, if a patient is unconscious and unable to give consent, a healthcare provider can disclose their medical information to emergency responders, such as paramedics or police officers. This helps ensure the patient receives necessary medical attention.

In cases of domestic violence or abuse, HIPAA's emergency exception allows healthcare providers to disclose protected health information to law enforcement or social services to prevent harm to the patient or others.

Under the Health Insurance Portability and Accountability Act (HIPAA), substance use treatment records are protected from unauthorized disclosure.

Substance use treatment providers are required to maintain confidentiality of client records, including information about treatment and counseling.

HIPAA allows disclosure of protected health information (PHI) without client consent in emergency situations, such as if a client is at risk of harming themselves or others.

Substance use treatment providers must have a written policy outlining their confidentiality procedures and provide clients with a copy of the policy upon admission.

Client consent is required for disclosure of PHI to third parties, unless an exception applies under HIPAA.

In situations involving the Novel Coronavirus, HIPAA rules allow for the sharing of protected health information (PHI) under certain circumstances.

A covered entity may disclose PHI to a public health authority, such as the CDC or a state or local health department, to prevent or control the spread of the disease.

This includes reporting disease or injury, conducting public health surveillance, investigations, or interventions. For example, a covered entity may disclose PHI to the CDC to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Novel Coronavirus.

Covered entities may also share PHI with persons at risk of contracting or spreading the disease, if authorized by state law.

In emergency situations, a covered entity may share PHI with disaster relief organizations, such as the American Red Cross, to coordinate the notification of family members or others involved in the patient's care.

These disclosures are allowed without the patient's permission, as long as they are necessary to prevent or control the spread of the disease or to carry out public health interventions or investigations.

Here are some specific scenarios where PHI can be shared: