In an emergency, when there is a flurry of activity in a hospital, covered entities often struggle with who they are permitted to release patient information to under HIPAA. On January 11, 2017, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released new guidance in the form of a frequently asked question (FAQ) to address that issue in light of the attack at the Pulse Nightclub in Orlando, Florida.
The FAQ answered the specific question of when a covered entity can share a patient’s health status, treatment or payment arrangement with an individual who is not married to the patient or not otherwise recognized as a relative of the patient under applicable law. With respect to the ability to disclose information that is directly relevant to family or friends involved in the patient’s care, OCR clarified that the HIPAA Privacy Rule defers to a covered entity’s professional judgment and does not require verification that a person is a family member, friend, or otherwise involved in the patient’s care or payment for care. Relevant to tragedies such as the one at the Pulse Nightclub, OCR stated: "HIPAA allows a covered entity to disclose information about a patient as necessary to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death." OCR further explains that if a patient is incapacitated or unavailable, the covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest.
While nothing in this guidance requires a covered entity to share such information as described above, it does provide flexibility. This flexibility can allow covered entities to react appropriately to requests for information during an emergency situation, particularly during unfortunate incidents of mass casualty and injury.
Click here for the FAQ.