The recent shooting attack in Las Vegas and other man-made disasters have prompted the Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) to clarify HIPAA Privacy Rules on disclosures to family, friends, and other individuals.

Following Hurricanes Irma and Maria, OCR issued a partial waiver of certain provisions of the HIPAA Privacy Rule in the geographical disaster areas of both hurricanes. OCR has issued such waivers when the government has declared a public health emergency following a natural disaster. But OCR apparently does not issue such waivers routinely after man-made disasters, such as active shooter deaths. It did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas or the Orlando nightclub shootings. Thus, health care organizations involved in the treatment of victims of the Las Vegas shootings remained subject to the provisions of the Privacy Rule. Rather, OCR “clarified” the guidance of the Privacy Rule without adding anything new.

The clarification specifies that covered entities may share protected health information (“PHI”) under the following five disclosures authorized by the Privacy Rule:

• Treatment.
• Notification.
• Imminent danger.
• Facility Directories.
• Media.

Treatment. Under the treatment ambit, providers may share PHI as necessary to properly treat patients. See 45 C.F.R. § 164.506(a). Treatment includes the following:

• Sharing information with other providers, including hospitals and clinics.
• Referring patients for treatment, including linking patients with available providers in areas where the patients have relocated.
• Coordinating patient care with others, such as emergency relief workers or others that can help in finding patients appropriate health services.

When a health care provider is sharing information with disaster relief organizations that are authorized by law or by their charters to assist in disaster relief efforts, such as the American Red Cross, it is unnecessary to obtain a patient’s permission to share the information if doing so would interfere with the organization’s ability to respond to the emergency.

Even with this Privacy Rule authorization to release PHI in emergency situations, covered entities should try to obtain verbal permission from the patient to share information. In the case of an incapacitated patient, for example, the providers may however determine, in their professional judgment, whether disclosing PHI is in the patient’s best interest.

Notification. Providers may share PHI as necessary to identify, find, and notify family members, guardians, or others responsible for the patent’s care of the patient’s location, general condition, or death. OCR explained that 45 C.F.R. § 164.510(b) (Disclosures to family, friends, and other individuals involved in a patient’s care) allows covered entity providers to disclose PHI to family, friends, and other individuals that have been identified by a patient as being involved in his or her care.

Serious and imminent threat. The Privacy Rule permits a covered entity to disclose PHI, including psychotherapy notes, when the covered entity has a good faith belief that the disclosure (1) is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others and (2) is to a person or persons reasonably able to prevent or lessen the threat. This disclosure  may include, depending on the circumstances, disclosure to law enforcement, family members, the target of the threat, or others who the covered entity has a good faith belief could mitigate the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 C.F.R. § 164.512(j)(1)(i).

Facility directories. Health care facilities maintaining a directory of patients can tell people who call or ask about an individual whether the individual is at the facility, his or her location in the facility, and his or her general condition in an emergency, the same as they can during normal operations. The Privacy Rule permits a covered hospital or other covered health care provider to maintain in a directory certain information about patients, such as patient name, location in the facility, health condition expressed in general terms that does not communicate specific medical information about the individual, and religious affiliation. The patient must be informed about the information to be included in the directory and to whom the information may be released and must have the opportunity to restrict the information or to whom it is disclosed or to opt out of being included in the directory. The patient may be informed and make his or her preferences known orally or in writing. The facility may provide the appropriate directory information, except for religious affiliation, to anyone who asks for the patient by name. Religious affiliation may be disclosed to members of the clergy, who are given additional access to directory information under the Rule.

Even when, because of emergency treatment circumstances or incapacity, the patient has not been provided an opportunity to express his or her preferences about how or whether the information may be disclosed, directory information about the patient may still be made available if doing so is in the individual’s best interest as determined in the professional judgment of the provider and would not be inconsistent with any known preferences previously expressed by the individual. In these cases, as soon as practicable, the covered health care provider must inform the patient about the directory and provide the patient an opportunity to express his or her preferences about how or whether the information may be disclosed. See 45 C.F.R. § 164.510(a).

Media. The HIPAA Privacy Rule permits covered entities to inform the media about a specific patient’s general health condition (critical, stable, deceased, or treated and released) if a request is made about a patient that is mentioned by name, provided that the patient has not previously objected to the sharing of such information, in which case the patient’s request should be honored. Any sharing of other information, such as test results, details of an illness, or other health information, must generally be disclosed only if the patient has signed a written permission. 45 C.F.R. § 164.508.

The Minimum Necessary Rule. Whenever PHI is shared, except for treatment purposes, the minimum necessary standard applies. Under it, any PHI disclosed must be limited to the minimum information necessary to achieve the purpose for which the information is shared. 45 C.F.R. §§ 164.502(b) and 164.514(d).

Conclusion. An emergency, whether natural or man-made, can strike at any time, and you need to know these rules for disclosures during such emergencies. For further guidance, See generally U.S. Department of Health and Human Services Office for Civil Rights, “Hurricane Katrina Bulletin #2: HIPAA Privacy Rule Compliance Guidance and Enforcement Statement for Activities in Response to Hurricane Katrina,” September 9, 2005. For assistance in deciding the above issues, see U.S. Department of Health and Human Services Office for Civil Rights, “HIPAA Privacy Rule: Disclosures for Emergency Preparedness—A Decision Tool,” available at http://www.hhs.gov/ocr/hipaa/decisiontool.

Heads-up reminder: We plan to conduct our two-day Hands-on HIPAA workshop in the Kansas City area, likely in Johnson County around Metcalf and College, about 13 weeks from now on Thursday and Friday, March 1–2, 2018. More exact info to follow, so stay tuned and block out your calendars!