Rave blog Post

HHS Declares Limited Waiver of HIPAA Privacy Rule and Clarifies Rules on Disclosures in Emergency Situations

The U.S. Secretary of Health and Human Services - Alex Azar - has published a bulletin declaring a limited waiver of the HIPAA Privacy Rule and clarifying the circumstances in which it is allowed to disclose Personal Identifiable Information during an emergency situation.

The purpose of the HIPAA Privacy Rule is to prevent the unauthorized disclosure of Personal Identifiable Information (PII) in the healthcare and healthcare insurance industries. With the exception of disclosing PII for treatment purposes, in most cases the Rule requires a patient's consent which must be obtained before information about them is shared - even with family members or friends involved in the patient's care.

During public health emergencies - such as the current coronavirus COVID-19 pandemic - some or all of the HIPAA Privacy Rule can be waived at the discretion of the U.S. Secretary for Health and Human Services. Therefore, in order to clarify which elements of the Rule are currently being waived and the circumstances in which each of the waivers applies, Secretary Azar published a special bulletin.

Related Blog: Surge Planning for Hospitals during the Coronavirus Pandemic

The Five Areas in Which the Privacy Rule is Waived

Strictly speaking, no areas of the Privacy Rule have been waived. Instead, Secretary Azar has stated the U.S. Department for Health and Human Services will not pursue sanctions and penalties against a hospital (note - not any HIPAA Covered Entity) that does not comply with the following provisions of the HIPAA Privacy Rule:

  • 45 CFR 164.510(a)(2) - the requirement to provide a patient with the opportunity to opt out of the hospital's directory.
  • 45 CFR 164.510(b)(1) - the requirement to obtain a patient's consent to speak with family members or friends involved in the patient's care.
  • 45 CFR 164.520 - the requirement to provide a patient with a notice of privacy practices for Protected Health Information (PHI).
  • 45 CFR 164.522(a) - the requirement to allow a patient the right to restrict how his or her PHI is used.
  • 45 CFR 164.522(b) - the requirement to allow a patient the right to decide through which channels of communication PHI is shared.

With the exception of allowing medical personnel to speak with family members and friends about the patient's care without the patient's consent, the “relaxation” of enforcement action for failing to comply with the remaining provisions only slightly simplifies hospital processes and does little to alleviate the intense pressure medical personnel are under.

Clarification on Disclosures during Emergency Situations

However, in the bulletin, Secretary Azar has also clarified the circumstances in which it is permitted to disclose patient information in emergency situations without consent and without a waiver. These circumstances apply to all HIPAA Covered Entities and Business Associates provided only the minimum amount of information necessary is disclosed.

Under normal circumstances, disclosures of PHI are only permitted to public health authorities and the media with the patient's consent. While the public health emergency is ongoing, Covered Entities and Business Associates will be permitted to disclose the minimum necessary PHI to public health authorities and the media unless a patient has previously objected to their information being shared.

More significant in terms of public health is the circumstance that Covered Entities and Business Associates can share the minimum necessary PHI to “prevent or lessen a serious and imminent threat”. In theory, this means PHI can be disclosed to anyone where a reasonable risk of contracting or spreading coronavirus exists, or where the opportunity exists to prevent or lessen the outbreak in the community.

Related Blog: Policy Changes for Remote Telehealth Communications during  COVID-19 Public Health Emergency

Preventing or Lessening Coronavirus in the Community

Contract tracing is one of the most effective ways to prevent the spread of coronavirus. When an individual is diagnosed with coronavirus COVID-19, everybody who has been in contact with the infected individual is notified of their “contact status”, what it means for the contact (usually self-quarantine), and what actions to take if symptoms of the virus start to manifest.

One of the biggest challenges of contact tracing is locating everybody who has been in contact with the infected individual to prevent the spread of the virus escalating. In circumstances where there has been a lengthy time lapse between the initial contact with the infected individual, it might also be necessary to alert all the contacts' contacts of the risk of infection. Therefore speed is of the essence.

Under normal circumstances, hospitals would not be able to disclose a diagnosis of coronavirus COVID-19 to the community because of the HIPAA Privacy Rule. However, due to Secretary Azar's clarification on disclosures during emergency situations, it is now possible to send a geo-targeted mass notification to areas in which the infected individual may have come into contact with members of the community.

How Hospitals Can Best Send Coronavirus Alerts to Communities

Most hospitals have mass notification systems to alert occupants to emergencies and to communicate non-medical information between management and staff. These are not suitable for sharing patient information because they lack the safeguards of the HIPAA Security Rule to prevent the unauthorized disclosure of PHI (for example, devices that receive PHI have to have automatic log-off capabilities, which would make them unsuitable for receiving emergency alerts).

However, where mass notification systems have SMS opt-in capabilities, they can be used to send coronavirus alerts to communities within minutes of a diagnosis being confirmed. Naturally the alerts would contain the minimum necessary information about the infected individual, but enough to solicit enquiries from members of the public who have been in contact with them.

Related Blog: How the Public is Thanking Healthcare Workers Across the World

For example, if an infected individual is known to have been drinking in Joe's Pub the previous weekend, the message could read “ABC Hospital advises anybody who was in contact with a tall, blond-haired man at Joe's Pub last weekend to get in touch”. As the opt-in service would be known to be a coronavirus alert service, the message should be sufficient to advise recipients why they should get in touch urgently. Ideally, Joe's Pub should also be contacted to spread the word among its regular customers.

Further Information about Mass Notification Systems with SMS Opt -In Capabilities

During the current coronavirus pandemic, the speed at which contacts can be identified and quarantined can make the difference between the virus being contained and spreading throughout a community.

If your hospital would like further information about mass notification systems with SMS opt-in capabilities, do not hesitate to get in touch

Universal - Healthcare Coronavirus Recovery Solution

Tara Gibson
Tara Gibson

Tara is a Marketing Coordinator on the Rave Mobile Safety marketing team. She loves writing about all things K-12, State & Local, Higher Ed, Corporate, and Healthcare, and manages the Rave social media channels. When she's not working, she's taking care of her smiley, shoe eating, Instagram-famous fur baby, Enzo!

Simple Headline Goes Here

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore

Download the Report 

Schedule a Free Consultation

Talk With An Expert

Discover our pre-packaged solutions or configure a package that's right for your business. Learn how you can be up and running in days, take advantage of unlimited usage, and benefit from unbeatable performance and customer satisfaction.