Immediately following Sunday’s tragic shooting at a nightclub in Orlando, friends and family frantically gathered at Orlando Regional Medical Center, attempting to get information about their loved ones.  However, hospital officials hesitated to provide specific updates.  Why?  Because the Health Insurance Portability and Accountability Act (HIPAA) and implementing regulations restrict the patient-identifiable health information that “covered entities,” like Orlando Regional Medical Center, are permitted to disclose without proper patient authorization or consent.

Shortly following the massacre, Orlando local news outlets reported that after Orlando Regional’s CEO expressed concern regarding families requesting detailed patient health information at the hospital’s emergency room, Orlando Mayor Buddy Dyer contacted the White House and requested a waiver of the HIPAA regulations.  While the HIPAA Privacy Rule is not automatically suspended during a national or public health emergency, the Secretary of the Department of Health and Human Services (HHS) may waive certain provisions of HIPAA under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.  In order to take advantage of the waiver, the President must declare an emergency or disaster and the Secretary of HHS must declare a public health emergency.

Mayor Dyer and numerous news outlets believed that a HIPAA waiver was granted.  It is important to emphasize that while cable news networks and other media outlets referred to a general “waiver of HIPAA,” the Social Security Act’s waiver is limited: The Secretary of HHS may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the Privacy Rule.  Significantly, however, the limited waiver (if granted) would have protected Orlando Regional from any sanctions for failure to comply with the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).

While hospital officials certainly took a conservative route in hesitating to disclose specific patient information to families and friends at the emergency room, was it legally necessary for Orlando Regional Medical Center to seek a waiver of the Privacy Rule under HIPAA?  And, despite the fact that news outlets and public officials reported that a waiver was granted, did HHS actually grant such a waiver?

Under HIPAA, if any person requests information about a particular patient by name, a hospital or other health care provider may release limited facility directory information to (a) acknowledge that an individual is a patient at the facility and (b) provide basic information about the patient’s condition in general terms (e.g., critical, stable, deceased), provided that the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.  See 45 CFR 164.510(a).

Additionally, the HIPAA Privacy Rule expressly permits disclosures of protected health information to a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care.  A hospital is also permitted to share patient information as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the individual’s care of the individual’s location, general condition, or death.  Many hospitals and other health care providers wrestle with applying these permissions, however, especially in situations where a patient has not affirmatively consented to the disclosure (orally or otherwise) or definitively identified the family member or other person as “involved in the patient’s care.”

This proved to be the challenge in Orlando, where, given the extent of the injuries, patients were unable to consent to requested disclosures and the health care providers likely did not know whether or not a requestor of patient information was “involved in the patient’s care.”  In addition, with more than 50 patients wounded, the hospital likely did not have the time or resources to verify the identity of each individual.

Importantly, the HIPAA Privacy Rule anticipates that in exigent circumstances, a patient may not be able to consent to or authorize a requested disclosure.  In this case, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual patient and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s care.

Therefore, the HIPAA Privacy Rule anticipates that disclosures may be necessary in an emergency circumstance, and grants covered entities, like Orlando Regional, reasonable discretion to disclose limited protected health information not just to family members, but also to friends involved in a patient’s care. Such disclosures are permitted even in the absence of the limited waiver described above.  Further, covered entities may disclose a patient’s location and general condition to any person who asks for the individual by name if the disclosure is believed to be in the best interest of the patient.  This is a commonly misunderstood aspect of the HIPAA regulations.

As reported by Modern Healthcare, it turns out HHS never granted a limited waiver of HIPAA because of the exceptions summarized above.  “HIPAA allows health care professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances,” Kevin Griffis, assistant secretary for public affairs at HHS, told Modern Healthcare.

HHS has in the past released guidance following emergencies such as Hurricane Katrina.  We will monitor HHS’s website to see if, consistent with past large-scale tragedies, HHS provides additional guidance on how to balance the requests of loved ones with patient privacy during emergencies.

Providers should be aware that in times of crisis, the HIPAA Privacy Rule does allow for flexibility and provides mechanisms by which certain disclosures are permitted even if a patient is incapacitated.  Providers must exercise professional judgment, however, and take action in the best interests of the patient.  In addition, providers should ensure that their Notice of Privacy Practices is consistent with their operations; any uses or disclosures of protected health information (even those that do not require a formal authorization) must still be consistent with the covered entity’s Notice of Privacy Practices.