OCR Clarifies HIPAA Rules in Response to Las Vegas Attacks

The attack at the Las Vegas music festival earlier this month has prompted the Department of Health and Human Services’ Office for Civil Rights to clarify HIPAA Rules on disclosures to family, friends and other individuals. The HHS has clarified the HIPAA Rules on disclosures in order increase the standard of patient care after such a horrendous event. 

It is not uncommon for OCR to issue a partial waiver of certain provisions of the HIPAA Privacy Rule after a natural disaster when a public health emergency has been declared. Such an action was seen after Hurricanes Irma and Maria, when a waiver was issued in the disaster areas of both hurricanes.

However, OCR did not issue a HIPAA Privacy Rule waiver after the attack in Las Vegas. Similarly, no such waiver was issued following the Orlando nightclub shootings in 2016. OCR does usually issues waivers of HIPAA Rules following natural disasters, and not after shootings or other incidents caused by humans. Healthcare organizations involved in the treatment of victims of the Las Vegas shootings were required to continue to follow the provisions of the HIPAA Privacy Rule in their entirety. Hence, OCR saw fit to clarify HIPAA Rules on disclosures to help those dealing with the disaster avoid violations. 

In their statement, OCR explained that the HIPAA Privacy Rule allows healthcare organizations to disclose PHI to family, friends, and other individuals that have been identified by a patient as being involved in his or her care. PHI may also be shared to help identity or locate individuals involved in a patient’s care, or to notify them of the patient’s location, health status, or death. HIPAA Rules further stipulate that when PHI is shared, the minimum necessary standard applies. This requires that the amount of PHI shared must be limited to the minimum necessary information to achieve the purpose for which the information is shared.

In an emergency situation, HIPAA covered entities are required to try to obtain verbal permission from the patient to share their confidential information. However, in an emergency situation, the patient may not be capable of expressing their consent. The covered entity is required to make a judgement using their professional experiences to determine whether sharing information will improve the standard of care which the patient will get, or if it is generally in their best interests. 

When a partial HIPAA waiver is issued, such as in the case of natural disasters, PHI may need to be shared with disaster relief organizations to assist with disaster relief efforts. While permission should be obtained, it is not necessary if obtaining permission would interfere with the organization’s ability to respond to an emergency situation.

The HIPAA Privacy Rule permits covered entities to inform the media about a specific patient’s general health condition (critical, stable, deceased, or treated and released) if a request is made about a patient that is mentioned by name, provided the patient has not previously objected to the sharing of such information. If the patient has objected, the patient’s request should be respected. 

Any sharing of other information, such as test results, details of an illness, or other health information, must generally only be shared if permission has first been obtained from the patient in writing.

The provisions of the HIPAA Privacy Rule are detailed in: 45 CFR 164.510(b) – Disclosures to family, friends, and other individuals involved in a patient’s care; 45 CFR 164.510(a) – Disclosures to the media and individuals not involved in a patient’s care; 45 CFR 164.508 – HIPAA authorizations; 45 CFR §§ 164.502(b) and 45 CFR §§ 164.514(d) – The minimum necessary standard.