When can HIPAA be broken?

HIPAA can be legally broken in certain situations, including emergencies, immediate public health concerns, law enforcement purposes, and scenarios that ensure the smooth operation of healthcare systems.

When HIPAA can be broken, waived, and exempted

Legally broken refers to situations where healthcare providers must use their judgment to prioritize immediate patient safety over strict adherence to HIPAA regulations. This involves breaking confidentiality as a legal necessity. 

HIPAA waivers occur when legal authorization is given; this is set aside in specific circumstances, such as cases of public health crises or natural disasters. Exceptions are built into HIPAA regulations, allowing for certain disclosures or uses of protected health information (PHI) without the need for patient authorization.

When can a health provider make a calculated decision to break HIPAA regulations?

In 2014, the US Department of Health and Human Services' Office for Civil Rights (OCR) issued a bulletin addressing exceptions for emergencies in response to global public health crises.

This bulletin clarified how a patient's PHI can be used in emergencies without violating rules. While it states explicitly that the privacy rule is "not set aside during an emergency," it defines additional ways that PHI can be used for "critical purposes." When it comes to sharing patient information, these exceptions are allowed in emergencies:

Public health

In an urgent public health situation, the immediate disclosure of PHI may be required to prevent or control disease, injury, or disability. 

Treatment

Healthcare providers can share a patient's health information for their treatment without needing the patient's permission, ensuring that the necessary medical care is provided promptly.

Imminent threat

To prevent or lessen a serious and imminent threat to the health and safety of a person or the public, health providers may need to make a judgment call to prioritize safety measures over strict adherence to HIPAA regulations.

Notification

Providers can share a patient's health information with specified family or friends, promoting effective communication and support during medical treatment.

Media

Hospitals can provide basic information about a patient's presence and general condition to the media while respecting the patient's privacy and helping keep the public informed during significant health events.

Law enforcement

Healthcare professionals may disclose PHI to law enforcement in specific circumstances, such as when a crime occurs on the premises or when a valid warrant or court order is presented.

In the news: Vanderbilt Medical Center under investigation for releasing transgender patient records

When is HIPAA waived? 

The HIPAA waiver of authorization is a legal document that allows covered entities to disclose a patient's PHI to third parties without the individual's permission. HIPAA waivers are commonly utilized in emergencies, research, and natural disasters. These waivers allow for the exemption of some HIPAA regulations to ensure immediate patient care, research advancement, and efficient responses to crises.

Two conditions must be met: a presidential emergency declaration and an HHS Secretary's public health emergency declaration. 

This waiver is limited to the affected area and a specific time frame. Hospitals with disaster plans can also temporarily waive Privacy Rule requirements.

When the conditions mentioned above are met, the Secretary can waive Privacy Rule provisions relating to:

• The requirement to give patients an opportunity to agree or object to inclusion in a facility directory or notifying family and friends (§164.510)
• The requirement to provide a Notice of Privacy Practices and obtain a written confirmation the Notice has been received (§164.520)
• Patients' rights to request restrictions on the uses and disclosures of PHI and request confidential communications (§164.522)

What are the exceptions to HIPAA?

HIPAA also contains inherent exceptions that allow for the disclosure or use of protected health information (PHI) without the need for specific authorization. These exceptions ensure public health, safety, and the effective functioning of healthcare systems.

• Oversight of the healthcare system (e.g., licensing and regulation)
• Judicial and administrative proceedings
• Medical examinations
• Body identification of a deceased person or investigation of the cause of death
• Facility directories
• Workers Compensation
• Other situations where the use or disclosure is mandated by other laws (e.g., state and local)

Sharing PHI should follow the minimum necessary rule to ensure that healthcare professionals only communicate what is essential to achieve the intended purpose. Health professionals are encouraged to use their discretion and consider what information is relevant and required for the situation.

Read more:

• Understanding permissible disclosures in an emergency
• Is HIPAA waived during natural disasters

In the news

During the 2014 Ebola outbreak, the case of Dr. Craig Spencer in New York City illustrated how HIPAA regulations could be legally broken to address urgent public health concerns. Dr. Spencer contracted Ebola while treating patients in Guinea and was diagnosed after returning to the U.S. To prevent the spread of the virus and protect public safety, the New York City Department of Health and Mental Hygiene disclosed certain details about his medical condition and recent activities. This information was needed for contact tracing and informing the public about potential exposure risks, demonstrating how HIPAA's public health exception allows for the sharing of PHI without patient authorization in emergencies.

The legal basis for these disclosures included the public health exception, which permits PHI sharing to prevent or control diseases, and the imminent threat provision, allowing the release of information to address serious and immediate threats to public health. Additionally, informing the media and public helped manage fear and ensured transparency in the health response, proving the necessity of balancing patient privacy with public safety during health crises. 

FAQs

Under what circumstances can HIPAA be broken without patient consent?

HIPAA can be broken without patient consent in several circumstances, including for public health activities, law enforcement purposes, cases of abuse or neglect, organ donation processes, research (with IRB approval), workers' compensation claims, and emergencies where there is a serious threat to health or safety. These exceptions are designed to protect public interests and ensure effective healthcare delivery.

How does HIPAA address disclosures to family members or others involved in a patient's care?

HIPAA allows healthcare providers to disclose PHI to family members or others involved in a patient’s care if the patient does not object. If the patient is not present or incapacitated, providers can share information if they determine that it is in the patient’s best interest based on professional judgment. This includes instances like notifying family members of a patient's location, condition, or death.

Are there any situations where HIPAA permits the use of PHI for health oversight activities?

Yes, HIPAA allows the use and disclosure of PHI for health oversight activities authorized by law. This includes audits, investigations, inspections, licensure, or disciplinary actions necessary for oversight of the healthcare system, government benefit programs, and regulatory compliance.

Can healthcare providers share PHI with other providers for continuity of care?

Yes, HIPAA permits healthcare providers to share PHI with other healthcare providers for treatment purposes without patient authorization. This includes consultations between providers or referrals to specialists, ensuring continuity and coordination of care for the patient.

What protections does HIPAA have in place when disclosures are made under its exceptions?

HIPAA requires that any disclosure of PHI under its exceptions must be the minimum necessary to accomplish the intended purpose. Covered entities must also take reasonable steps to safeguard PHI and limit access to those who need it for the specified purpose. Additionally, specific conditions and safeguards are often required for certain types of disclosures, such as obtaining an IRB waiver for research purposes.