The short answer is “no.” But the full answer is more mixed.
The U.S. Department of Health and Human Services (HHS) learned lessons during Hurricane Katrina (2005), Hurricane Sandy (2012) and the Ebola crisis (2014-16) that have guided its policies around exceptions to the Privacy Rule during disasters.
HHS Bulletins Provide Guidance
Hurricane Harvey’s destruction may surpass that of Katrina and Sandy, and HHS has just today issued a Bulletin outlining its policy on waivers for hospitals in Texas and Louisiana. HHS issued Bulletins during other emergencies, including two in 2005 resulting from Hurricane Katrina, one in 2013 related to law enforcement, and one in 2014 related to privacy in emergency situations. All of these Bulletins and additional guidance may be found here HHS Bulletins and Guidance
During a public health emergency or disaster, there are exceptions to HIPAA that permit covered entities like hospitals to share protected health information with other providers, public health authorities and certain other designated parties. On the other hand, even during a disaster, the majority of HIPAA requirements will remain in effect so covered entities must remember they are responsible for fulfilling HIPAA obligations even in the midst of a disaster.
No Excuse for Social Media Photos posted by Covered Entities
In the last several days, pictures of nursing home residents and patients in Texas have been posted on Facebook and other social media by health care providers. Whether an appeal for help, or for publicity, even if well intentioned, these are blatant violations of patient privacy and are unjustified by the emergency.
The HIPAA Privacy Rule is not Suspended
HIPAA still applies during a public health emergency. However, if the President declares an emergency or disaster, and the HHS Secretary declares a public health emergency, then the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain HIPAA provisions. On August 27, Secretary Tom Price declared such a public health emergency in Texas. The waivers apply to the following HIPAA Privacy Rule provisions.
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- the requirement to honor a request to opt out of the facility directory.
- the requirement to distribute a notice of privacy practices.
- the patient’s right to request privacy restrictions.
- the patient’s right to request confidential communications.
Note, this type of waiver only applies:
- In the emergency area and for the emergency period identified in the public health emergency declaration.
- To hospitals that have instituted a disaster protocol.
- For up to 72 hours from the time the hospital implements its disaster protocol.
When these types of declarations end, OCR adds that providers have to comply with all Privacy Rule requirements for patients in their care, “even if 72 hours has not elapsed since implementation of its disaster protocol.”
OCR also emphasizes the fact that HIPAA rules only apply to covered entities and their business associates. So, for example, the Red Cross is not subject to HIPAA, and may use and disclose patient information in order to carry out its mission.
The HIPAA Security Rule Requires Contingency Planning Before an Emergency
All covered entities and business associates must comply with the Security Rule standard requiring that they establish a Contingency Plan consisting of policies and procedures for responding to an emergency or other occurrence (for example, Fire, Vandalism, System Failure, and Natural Disaster) that damages systems containing Electronic Protected Health Information.
At a minimum, this Contingency Plan (SR-20 within The HIPAA E-Tool®) will include a Data Backup Plan (SR-21), a Disaster Recovery Plan (SR-22) and an Emergency Mode Operation Plan (SR-23).
The Privacy and Security Rules work together. Knowing how to prepare and prevent through planning, and respond and recover during and after an emergency, are all part of a full HIPAA Compliance Policy. And while rules may be relaxed in certain circumstances, patient privacy is still a high priority and must be maintained during emergencies.