The HIPAA Privacy Rule during public health emergencies

“The HIPAA Privacy Rule is not suspended during a public health or other emergency; however, under certain conditions the Secretary of the U.S. Department of Health and Human Services may waive certain provisions of the HIPAA Privacy Rule section 1135(b)(7) of the Social Security Act, if such a waiver is deemed necessary for the particular incident when the Secretary declares a public health emergency and the President declares an emergency or disaster under the Stafford Act or National Emergencies Act,” states the Department of Health and Human Services in HIPAA and Disasters: What Emergency Professionals Need to Know

Related: Is HIPAA waived during natural disasters?

Understanding HIPAA privacy rule modifications

During public health emergencies, the Secretary of the Department of Health and Human Services (HHS) has the authority to waive certain provisions of the HIPAA Privacy Rule. These waivers are:

1. Limited in scope - Only applying to specific provisions of the Privacy Rule
2. Limited in duration - Usually lasting only during the emergency period
3. Limited geographically - Typically only affecting the emergency area
4. Limited to covered entities - Only applying to healthcare providers that have instituted disaster protocols

What actually changes during emergencies?

According to the HHS, “If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule:

• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b))
• the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
• the requirement to distribute a notice of privacy practices (45 CFR 164.520)
• the patient's right to request privacy restrictions (45 CFR 164.522(a))
• the patient's right to request confidential communications (45 CFR 164.522(b))”

However, the core privacy protections remain in place, including:

• Safeguarding patients' medical records
• Protecting against unauthorized disclosures
• Maintaining the minimum necessary standard for information sharing
• Ensuring secure transmission of protected health information

Public health reporting and information sharing

Even without special waivers, the HIPAA Privacy Rule already includes provisions for public health activities. Healthcare providers can share protected health information without individual authorization for:

• Reporting to public health authorities
• Tracking disease exposure
• Preventing or controlling disease spread
• Supporting public health surveillance
• Implementing intervention measures

Best practices during emergencies

Healthcare organizations should:

1. Stay informed about specific waivers issued during emergencies
2. Document all privacy-related decisions made under emergency conditions
3. Return to normal privacy practices as soon as the emergency waiver period ends
4. Continue maintaining basic security safeguards even when certain privacy requirements are waived
5. Train staff on emergency protocols and modified procedures

According to Tech Target's article Complying with the HIPAA Privacy Rule During Emergency Situations: “Planning is the best approach for healthcare organizations to ensure HIPAA compliance during an emergency. Organizations should develop and implement an emergency preparedness and response plan that contains instructions on how to comply with the HIPAA Privacy Rule and what to do if HHS issues a waiver."

Learn more: How does HIPAA define an emergency?

FAQs

Do all healthcare providers automatically receive HIPAA waivers during emergencies?

No, waivers only apply to covered entities that have activated their disaster protocols and are within the designated emergency area.

How long do HIPAA waivers remain in effect during an emergency?

Waivers are temporary and typically last for the duration of the emergency period, as determined by HHS.

Can healthcare providers share patient information with public health authorities without a waiver?

Yes, the HIPAA Privacy Rule already allows the sharing of protected health information for public health reporting, disease tracking, and intervention efforts.