Today, OCR posted a new response to the FAQ "Is the HIPAA Privacy Rule suspended during a national or public health emergency?" The federal government’s answer? . . . NO! The FAQ response states that the Secretary of HHS may, however, waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. Therefore, if the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary could waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule. Personally, I think that the government’s FAQ could spark further confusion.
Regardless of the activation of an emergency waiver, I think that it’s most important to note that the HIPAA Privacy Rule would not prevent disclosures during a national emergency to:
- provide treatment (45 CFR 164.506(c));
- avert a serious threat to health or safety (45 CFR 164.512(j)); and
- disaster relief organizations (45 CFR 164.510(b)(4)).
So, for instance, a covered entity could share patient information with the American Red Cross to notify family members of the patient’s location. In the end, good judgment should always prevail when the health or safety of an individual is at stake. For helpful information on how to handle health information issues during a national emergency, visit Katrina.