Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy
  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts

Share

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule  to carry out specific purposes and under certain circumstances.

For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose.  Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.

The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.

Disclosure to Family, Friends, and Others Involved in an Individual’s Care and for Notification

  1. The Privacy Rule permits covered entities to share PHI with a patient’s family, relatives, close friends, or other persons identified by the patient as involved in the patient’s care in the following situations:
    • If a patient is present for, or otherwise available prior to, this permitted use or disclosure and has the capacity to make health care decisions:
      • A covered entity may use or disclose the PHI if it (1) obtains the patient’s consent, (2) provides the patient with the opportunity to object to the disclosure and the patient does not object, or (3) reasonably infers from the circumstances, based on professional judgment, that the patient does not object to such disclosure.
    • If a patient is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the patient’s incapacity or an emergency circumstance:
      • A covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interest of the patient and, if so, disclose only the PHI that is directly relevant to the person’s involvement with the patient’s care related to the patient’s health care or needed for notification purposes.
    • If a patient is deceased:
      • A covered entity may disclose PHI to those persons described above who were involved in the patient’s care prior to the patient’s death so long as such disclosure is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed patient preference known to the covered entity.
  1. Covered entities may also share PHI as necessary to identify, locate, and notify, or assist in the notification of, family, personal representatives, or anyone else responsible for the patients’ care regarding the patient’s location, general condition, or death.
    • In addition to the requirements described in (1) above, a covered entity may disclose PHI to a public or private entity authorized by law or its charter to assist in disaster relief efforts. Such disclosures must follow the aforementioned requirements to the extent that a covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances.

More information for individuals, family, and friends is available at: https://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html.

OCR offers health care professionals FAQs on Disclosures to Friends and Family Members at: https://www.hhs.gov/hipaa/for-professionals/faq/disclosures-to-family-and-friends.

Disclosures to Media or Others Not Involved in the Care of the Patient/Notification

Except when a patient objects in advance, a covered entity may release limited facility directory information to persons who request such information about a patient by name.    The information is limited to:

  1. The patient’s name;
  2. The patient’s location in the covered entity’s facility; and
  3. The patient’s condition described in general terms that does not communicate specific medical information about the individual (e.g., the patient is critical or stable, deceased, or treated and released, etc.).

OCR offers an FAQ on disclosures to the media at: https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html.

If you have any questions about these uses and disclosures or HIPAA compliance more generally, please feel free to contact any member of Drinker Biddle’s Health Care Team or Information, Privacy, Security and Governance Team.

About the Author: Sumaya M. Noush

Sumaya Noush counsels health care clients on strategic and operational matters, including transactions, corporate governance and regulatory compliance. View Sumaya's full bio on the Faegre Drinker website.

Receive Email Alerts to New Articles

SUBSCRIBE

October 18, 2017
Written by: Sumaya M. Noush
Category: Health Care, HHS, HHS/OCR, HIPAA, Privacy

Post navigation

Previous Previous post: Tech Companies Issue White Paper Recommending a National IOT Strategy
Next Next post: Department of Education Posts CyberAdvisory on Extortion and Student Data Threats

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2022 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT