Governance & Risk Management , HIPAA/HITECH , Privacy
No HIPAA Waiver Needed in Orlando Shooting AftermathPrivacy Rule Provides Flexibility in Emergencies
In the aftermath of the June 12 mass shooting at an Orlando, Fla., nightclub, confusion emerged over whether the Obama administration had issued a special public health emergency waiver to suspend certain privacy provisions of HIPAA to help ease communication between healthcare providers caring for the injured and those patients' families.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
It turned out, however, the administration did not activate the rarely used waiver because HIPAA already allows for healthcare entities to exercise "professional judgment" in discussing the care - or payment for care - of a patient with family members or friends in certain circumstances. Those circumstances include certain emergencies or cases when "the patient's incapacity" prevents providers from asking the patient for approval to discuss care with others, according to guidance posted on the Department of Health and Human Services Office for Civil Rights' website.
"The reports about a HIPAA waiver were not accurate. In this situation, there was no waiver," an OCR spokeswoman tells Information Security Media Group.
The spokeswoman points out: "HIPAA allows healthcare professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition. Disclosures are permissible to same sex, as well as opposite sex, partners."
HIPAA's flexibility makes the waiver unnecessary in most urgent circumstances, security experts say.
"The HIPAA Privacy Rule has never stood in the way of healthcare providers using their professional judgment of what is in the best interest of the patient to share information about their patients' condition with their family and friends when the patient cannot communicate for themselves," notes privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek. "Decisions on what to share with family and friends is an integral part of the communications that take place in healthcare organizations every day."
Confusion After Massacre
In the hours after the Pulse nightclub massacre on June 12, it was initially unclear whether the Obama administration had, indeed, issued an official waiver of certain HIPAA provisions. The confusion started when Buddy Dyer, the mayor of Orlando, stated on CNN that he had asked for the White House to waive certain HIPAA regulations to encourage faster sharing of information with victims' family members and indicated that the White House had complied, the news site Slate reported.
However, in an updated version of Slate's story, the news site reported: "In fact, the White House did not waive any portion of HIPAA regulations on Sunday. HHS stated Monday that the necessary information sharing was already allowed under the HIPAA law as it is written, as the law states that medical professionals are allowed to share information without consent in an emergency circumstance as long as they exercise 'professional judgment.'"
The OCR spokeswoman adds that HIPAA provisions - without use of the special waiver - also allow "disclosure to assist in the notification of - including identifying or locating - a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition or death."
Rarely Used Waiver
Guidance posted on the HHS website about granting a HIPAA waiver notes: "If the president declares an emergency or disaster and the HHS secretary declares a public health emergency, the HHS secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule."
Those provisions include:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care;
- The requirement to honor a request to opt out of the facility directory;
- The requirement to distribute a notice of privacy practices;
- The patient's right to request privacy restrictions;
- The patient's right to request confidential communications.
But such a waiver would only apply in the emergency area and for the emergency period identified in the public health emergency declaration. Also, it would apply only to patients in area-affected hospitals that have instituted a disaster protocol for up to 72 hours from the time the hospital implements its disaster protocol.
A federal website indicates that since 2009, a HIPAA waiver has been issued 10 times, mostly for public emergencies involving flooding, tornadoes or hurricanes. The most recent was in October and November 2012 in New York and New Jersey in the aftermath of Hurricane Sandy. Aside from emergencies involving weather, the waiver was also issued once in 2009 to help the Centers for Disease Control and Prevention deal with the H1N1 influenza pandemic.
Exercising Good Judgment
During unusually stressful situations, clinicians could make errors in judgment about the release of information about patients involved in a disaster or other crisis, some experts acknowledge.
One privacy attorney, who asked not to be identified, says that while healthcare workers "know to some extent that they generally have discretion [under HIPAA], it is just often hard to make the right judgments" about with whom to share patient health information during an emergency or crisis.
"It is often easier to say no, because you can't violate the law by not disclosing," the attorney says. "The tricky part is often figuring out who the 'right' people are to talk to. The waiver process doesn't really help on that point, and the waiver idea seldom seems to ever be relevant. I can't imagine HHS penalizing someone if they disclosed something to a parent, for example, even without a waiver."
It's important that the public trusts that healthcare providers will make the right call in information sharing, Holtzman says. "I would not want to second guess hospital staff who are dealing with life and death issues in times of crisis," he adds.
To help ensure correct professional judgments are made, "healthcare providers and hospitals should take the time to work with their staff and providers to raise awareness of opportunities to communicate with friends and family to help care for their loved ones," Holtzman suggests.