October 11, 2018
In the midst of Hurricane Michael, the HHS Office for Civil Rights (OCR) and its federal partners remain in close coordination as part of disaster response. As part of his declaration of a Public Health Emergency (PHE), HHS Secretary Alex Azar has waived sanctions and penalties under certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule that may otherwise apply to covered hospitals, such as the provisions that generally require covered entities to give patients the opportunity to agree or object to sharing information with family members or friends involved in the patient’s care. This waiver applies only to the emergency area and for the emergency period identified in the PHE declaration and only to hospitals that have instituted a disaster protocol. Qualifying hospitals can take advantage of the waiver for up to 72 hours from the time the hospital implements its disaster protocol unless the PHE declaration terminates first.
As explained in OCR’s Bulletin on Hurricane Michael, even without an emergency waiver, the Privacy Rule has several provisions that allow patient information to be shared to assist patients in receiving the care they need, including during disasters.  For example, the Privacy Rule permits covered entities to share information with loved ones for treatment purposes, for public health activities, and to prevent or lessen a serious and imminent threat to health or safety.  The Privacy Rule also allows the sharing of information with individuals’ family, friends, and others involved in their care in emergency situations to ensure proper care and treatment.
In addition, when a health care provider is sharing information with disaster relief organizations that are authorized by law or by their charters to assist in disaster relief efforts, such as government relief agencies or entities like the American Red Cross, it is unnecessary to obtain a patient’s permission to share health information if doing so would interfere with the organization’s ability to respond to the emergency.
For information about how the HIPAA Privacy Rule applies in an emergency, visit OCR’S HIPAA Emergency Preparedness, Planning, and Response page or you may use the HIPAA Disclosures for Emergency Preparedness Decision Tool.
For information about emergency requirements for long-term care facilities, visit the CMS Emergency Preparedness Rule page.
DISCLAIMER: These guidance documents are not a final agency action, do not legally bind persons or entities outside the Federal government, and may be rescinded or modified in the Department’s discretion. Noncompliance with any voluntary standards (e.g., recommended practices) contained in these documents will not, in itself, result in any enforcement action.
