Prompted by the Ebola outbreak as well as other events, today, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) issued a bulletin that serves as a reminder that HIPAA privacy regulations generally apply in emergency situations.

Specifically, OCR notes that the bulletin (1) addresses the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation and (2) serves as a reminder that the protections of the HIPAA Privacy Rule are not set aside during an emergency.

OCR notes that HIPAA’s protection of the privacy of individuals’ health information is balanced to ensure that appropriate uses and disclosures of health information may still be made when necessary for treatment, protection of the nation’s public health, and other important purposes. The bulletin outlines the standards for sharing patient health information for various purposes, including:

• Treatment;

• Public health activities;

• Disclosures to family, friends, and others involved in an individual’s care;

• Disclosures to lessen a serious and imminent threat to the health and safety of a person or the public; and

• Disclosures to the media or others not involved in the individual’s care.

The bulletin also outlines other relevant HIPAA standards, including the requirements of the minimum necessary standard, uses and disclosures of health information by business associates, and safeguards necessary to protect health information against impermissible uses and disclosures even during an emergency situation.

In addition to OCR’s summary of the above HIPAA standards, the bulletin also explains that while the HIPAA Privacy Rule is not suspended during a public health emergency, if the President declares an emergency or disaster and the Secretary of the U.S. Department of Health and Human Services declares a public health emergency, the Secretary may waive sanctions and penalties against a covered entity hospital that does not comply with the following HIPAA Privacy Rule standards:

• Requirements to obtain an individual’s agreement to speak with family members or friends involved in the individual’s care;

• Requirement to honor a request to opt out of the facility directory;

• Requirement to distribute a Notice of Privacy Practices;

• Individual right to request privacy restrictions; and

• Individual right to request confidential communications.

In such limited waiver situations, the waiver applies only:

• In the emergency area and for the emergency period identified in the public health emergency declaration;

• To hospitals that have instituted a disaster protocol; and

• For up to 72 hours (or less, depending on when the emergency declaration terminates) from the time the hospital implements its disaster protocol.

For more information on the HIPAA standards outlined in this blog post and for additional OCR resources, please see OCR’s bulletin available here.