HIPAA can be legally broken in certain situations, including emergencies, immediate public health concerns, law enforcement purposes, and scenarios that ensure the smooth operation of healthcare systems.
When HIPAA can be broken, waived, and exempted
Legally broken refers to situations where healthcare providers must use their judgment to prioritize immediate patient safety over strict adherence to HIPAA regulations. This involves breaking confidentiality as a legal necessity.
HIPPA waivers occur when legal authorization is given; this is set aside in specific circumstances, such as cases of public health crises or natural disasters. Exceptions are built into HIPAA regulations, allowing for certain disclosures or uses of protected health information (PHI) without the need for patient authorization.
When can a health provider make a calculated decision to break HIPAA regulations?
In 2014, the US Department of Health and Human Services' Office for Civil Rights (OCR) issued a bulletin addressing exceptions for emergencies in response to global public health crises.
This bulletin clarified how a patient's PHI can be used in emergencies without violating rules. While it states explicitly that the privacy rule is "not set aside during an emergency," it defines additional ways that PHI can be used for "critical purposes." When it comes to sharing patient information, these exceptions are allowed in emergencies:
Public health
In an urgent public health situation, the immediate disclosure of PHI may be required to prevent or control disease, injury, or disability.
Treatment
Healthcare providers can share a patient's health information for their treatment without needing the patient's permission, ensuring that the necessary medical care is provided promptly.
Imminent threat
To prevent or lessen a serious and imminent threat to the health and safety of a person or the public, health providers may need to make a judgment call to prioritize safety measures over strict adherence to HIPAA regulations.
Notification
Providers can share a patient's health information with specified family or friends, promoting effective communication and support during medical treatment.
Media
Hospitals can provide basic information about a patient's presence and general condition to the media while respecting the patient's privacy and helping keep the public informed during significant health events.
Law enforcement
Healthcare professionals may disclose PHI to law enforcement in specific circumstances, such as when a crime occurs on the premises or when a valid warrant or court order is presented.
In the news: Vanderbilt Medical Center under investigation for releasing transgender patient records
When is HIPAA waived?
The HIPAA waiver of authorization is a legal document that allows covered entities to disclose a patient's PHI to third parties without the individual's permission. HIPAA waivers are commonly utilized in emergencies, research, and natural disasters. These waivers allow for the exemption of some HIPAA regulations to ensure immediate patient care, research advancement, and efficient responses to crises.
Two conditions must be met: a presidential emergency declaration and an HHS Secretary's public health emergency declaration.
This waiver is limited to the affected area and a specific time frame. Hospitals with disaster plans can also temporarily waive Privacy Rule requirements.
When the conditions mentioned above are met, the Secretary can waive Privacy Rule provisions relating to:
- The requirement to give patients an opportunity to agree or object to inclusion in a facility directory or notifying family and friends (§164.510)
- The requirement to provide a Notice of Privacy Practices and obtain a written confirmation the Notice has been received (§164.520)
- Patients' rights to request restrictions on the uses and disclosures of PHI and request confidential communications (§164.522)
What are the exceptions to HIPAA?
HIPAA also contains inherent exceptions that allow for the disclosure or use of protected health information (PHI) without the need for specific authorization. These exceptions ensure public health, safety, and the effective functioning of healthcare systems.
- Oversight of the healthcare system (e.g., licensing and regulation)
- Judicial and administrative proceedings
- Medical examinations
- Body identification of a deceased person or investigation of the cause of death
- Facility directories
- Workers Compensation
- Other situations where the use or disclosure is mandated by other laws (e.g., state and local)
Sharing PHI should follow the minimum necessary rule to ensure that healthcare professionals only communicate what is essential to achieve the intended purpose. Health professionals are encouraged to use their discretion and consider what information is relevant and required for the situation.
Read more:
Farah Amod
