Patient Privacy & Security

Allowable HIPAA Exceptions in Emergency Situations

The Privacy Rule allows for HIPAA exceptions under emergency circumstances, including for treatment of an individual patient, or for public health reasons.

During an emergency, thinking about patient privacy may not be at the forefront. However, doctors still have to keep HIPAA regulations in mind at all times to protect their patients. Still there are instances when HIPAA exceptions come into play, and knowing these times should make certain medical situations easier to deal with.

HIPAA exceptions for emergency situations were not defined when new federal regulations were passed in 1996. In 2014, in response to public health crises around the world, The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) released a bulletin to clarify how a patient's protected health information (PHI) could be used in emergency situations without violating rules.

The bulletin states explicitly that the Privacy Rule is "not set aside during an emergency," but defines additional ways that PHI can be used for "critical purposes," which include individual treatment or in the face of public health crises. The "Bulletin: HIPAA Privacy in Emergency Situations" applies to the same covered entities, business associates and subcontractors as the HIPAA Privacy Rule, all of which are responsible for the security and privacy of the health information that they collect, transmit or store.

Technological advances such as cloud storage and image sharing allow for seamless and secure transmission of health records, but providers are compelled by law to know when this is allowable outside of normal circumstances when a patient has not provided consent.

HIPAA Exceptions Defined

In emergency situations, the HIPAA Privacy Rule allows disclosures as follows:

  • As necessary to treat patients.
  • To public health authorities to prevent or control disease, disability or injury.
  • To foreign government agencies upon direction of a public health authority.
  • To individuals who may be at risk of disease.
  • To family or others caring for an individual, including notifying the public.
  • To persons in imminent danger.
  • To release general directory-level information about an individual who is hospitalized.

As with other disclosures allowable under the Privacy Rule, the information released must always be the "minimum necessary," except for treatment purposes, and must use reasonable means to keep the patient's information protected from unauthorized use.

In the event of a declared public health emergency, hospitals are shielded for a brief but defined period from sanctions and penalties normally associated with HIPAA violations; these include uses of PHI, such as speaking with a patient's family member without permission, giving a patient a copy of the entity's privacy notice or protecting the patient's absolute privacy or confidentiality.

HIPAA Exceptions in Everyday Practice

While the Privacy Rule emergency bulletin was released, in part, in response to the Ebola virus, private practice OB/GYNs may not encounter situations as straightforward as reporting on highly contagious tropical diseases. Physicians must always use their best judgment when deciding when to release a patient's information, what information to release and to whom.

For example, if a physician receives a call from another doctor stating that a mutual patient is having a medical emergency, the first physician must decide whether the call is legitimate before releasing the information. If the call is judged to be legitimate, then the provider is adhering to HIPAA regulations by releasing pertinent information, but still must ensure that the information is transmitted securely.

Other acceptable emergency disclosures might include when a patient is threatening self-harm or injury to others, if they become incapacitated and an emergency contact cannot be located, or if a patient with a communicable disease has come into contact with other people in a practice who need to be notified. In each case, the minimum amount of information necessary should be shared with the appropriate persons (or authorities) to address the situation at hand.

Physician discretion is allowable and necessary when considering HIPAA exceptions. Doctors are not only the gatekeepers to an individual's health, but at times, also to the community at large. There are times when a patient will not be able to consent to the disclosure of her PHI; knowing how and when to apply these exceptions will help ensure that the provider is shielded from civil penalties under the law while the patient is cared for appropriately.