The U.S. Department of Health and Human Services (“HHS”), Office for Civil Rights (“OCR”), released a bulletin last week addressing how covered entities (including certain health care providers and employer group health plans) and their business associates must continue to satisfy the privacy regulations implemented under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA Privacy Rule”) in public health emergency situations – including the current Ebola outbreak.
According to the November 10, 2014 bulletin, the HIPAA Privacy Rule will not be suspended during a public health emergency. However, the bulletin notes that the HIPAA Privacy Rule is drafted to protect patient privacy, but is also drafted in a manner that is “balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.” This means that the HIPAA Privacy Rule does provide mechanisms for disclosing patient health information in public health emergency situations. The bulletin explains that, in the case of a public health emergency, patient information may be shared for treatment purposes, for public health activities, with family, friends and others involved in an individual’s care, for certain notification purposes and in certain circumstances when there is imminent danger. However, the bulletin makes clear that “affirmative reporting to the media or public at large” is generally prohibited without a patient’s written authorization and most disclosures must be limited to only the minimum information necessary to accomplish the intended purpose. The bulletin also notes that, in public health emergencies, the Secretary of HHS may waive sanctions and penalties against certain covered entity hospitals for failing to comply with certain provisions of the HIPAA Privacy Rule, including the requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care or to honor a request to opt out of the facility directory. However, according to the bulletin, these waivers take effect only if the President declares an emergency or disaster and the Secretary of HHS subsequently declares a public health emergency.
What You Should Know
Although the bulletin does not give carte blanche to health care providers, group health plans and other covered entities to disregard the HIPAA Privacy Rule in public health emergency situations, it does suggest that OCR may factor public safety interests into its enforcement decisions. However, in light of the very narrow applicability and scope of the limited waiver, covered entities should take steps to ensure that uses and disclosures of health information in a public health emergency situation are permissible under the Privacy Rule. In light of the OCR bulletin and ongoing public concerns regarding the Ebola outbreak, all covered entities and their business associates should review their policies and procedures (and train their workforce members who deal with protected health information) to ensure compliance with the HIPAA Privacy Rule and to make sure there are systems in place to address these requirements in a public health emergency.