Question: I live in an area that is hit by hurricanes, and I want to be able to help patients when other providers may need their protected health information, but I want to remain compliant with HIPAA. Are there emergency exceptions for HIPAA? Georgia Subscriber Answer: The U.S. Department of Health and Human Services (HHS) provides guidelines specific for emergency situations where providers and health plans — covered entities and business associates — may need to share protected health information. HHS outlines when providers can share information and not be in violation of the HIPAA Privacy Rule. The applicable situations fall into the following categories: treatment, notification, imminent danger, and facility directory. Ideally, the health care provider should get verbal permission from individuals, HHS says, but if that is not possible due to the individual being incapacitated or otherwise unavailable, providers should use their professional judgement and act in the patient’s best interest.
Note: The HIPAA Privacy Rule only applies to covered entities; organizations like the American Red Cross are not covered entities and are therefore not subjected to the same rules. Certain conditions must be met for the situation to qualify as an “emergency.” HHS says: “If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule: “If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.” Find more information here, www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html.