On September 7, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) issued an announcement containing disaster preparedness and recovery guidance in advance of Hurricane Irma. The announcement follows a bulletin issued in late August during Hurricane Harvey that addressed how protected health information (“PHI”) can be shared during emergencies. Together, these communications underscore key privacy and security issues for entities covered by HIPAA to help them protect individuals’ health information before, during and after emergency situations.

Among other things, these two pieces of guidance highlight the following considerations:

  • Application of HIPAA. HIPAA applies only to covered entities (certain health plans, health care clearinghouses and health care providers) and business associates (generally, service providers that create, receive, maintain or transmit PHI for covered entities or other business associates). Other entities’ workforces, by contrast, are not directly liable for complying with HIPAA. The American Red Cross, for example, is not restricted by the HIPAA Privacy Rule from sharing health information.
  • Privacy and Disclosures. The HIPAA Privacy Rule always allows for PHI to be shared for certain purposes which may be relevant in emergency situations. For example, covered entities may use and disclose PHI as necessary for treatment purposes. These include “the coordination or management of health care and related services by one or more health care providers and others, consultation between providers, and the referral of patients for treatment.” OCR maintains an interactive tool to assist organizations in understanding how HIPAA applies to disclosures of PHI in emergency situations.
  • Safeguards and Contingency Plans. Organizations covered by HIPAA must continue to protect PHI by implementing reasonable safeguards against impermissible uses and disclosures. This includes the Security Rule, which requires administrative, physical and technical safeguards for electronic PHI, including contingency plans. Under the Security Rule, contingency plans must include or address a number of prescribed specifications, including a data backup plan, an emergency mode operation plan and testing and revision procedures.

In addition to the above, the August bulletin covered the decision by the Secretary of HHS to issue a limited waiver for covered hospitals in Texas and Louisiana after previously declaring a public health emergency in those states. Although HIPAA is not suspended during emergencies, the Secretary exercised the authority to waive sanctions and penalties for violations of certain provisions, including the requirement to honor a request to opt out of facility directories and a patient’s right to request privacy restrictions. In addition to being limited to specific HIPAA requirements, the waiver also applies only: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.