The Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress and signed by President Bill Clinton in 1996. According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule establishes nation-wide standards “to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.” HIPAA also provides to patients the right to examine and obtain a copy of health records, and to request corrections.

The HIPAA Privacy Rule places restrictions on the use and disclosure of patients’ protected health information, but also ensures that appropriate uses and disclosures of the information may occur for critical purposes, including when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.

Prompted in part by the recent Ebola outbreak, the HHS’ Office for Civil Rights (OCR), issued a November 10, 2014 bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule in an emergency situation. The bulletin also was issued to “serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.”

The bulletin, which can be accessed through a link on the HHS’ Health Information Privacy page, addresses both “Sharing Patient Information” and “Safeguarding Patient Information,” and describes basic restrictions for sharing protected health information during treatment, public health activities, for notification to family and friends, and to media and business associates.

While the HHS Bulletin specifically mentions that the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Bulletin goes on to say that the Secretary of HHS (Secretary) may waive certain provisions of the Privacy Rule under certain circumstances. Those circumstances include declaration by the President of an emergency or disaster, or by the Secretary of a public health emergency.

In those instances, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with provisions of the Privacy Rule to obtain a patient’s agreement before speaking to family members about the patient’s care – however, that waiver would apply only to hospitals that have instituted a disaster protocol, and only would apply for 72 hours after that protocol begins.

The Bulletin states that a hospital may release limited “facility directory information to acknowledge an individual is a patient at the facility and to provide basic information about the patient’s condition in general terms (e.g., critical or stable, deceased, or treated and released) if the patient has not objected to or restricted the release of such information or, if the patient is incapacitated, if the disclosure is believed to be in the best interest of the patient and is consistent with any prior expressed preferences of the patient.”

The Privacy Rule applies to disclosures made by employees, volunteers, and other members of a “covered entity” or its “business associates.”

Covered entities comprise “health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.”

Business associates are defined in the Bulletin as “persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.”

The Privacy Rule does not apply to disclosures made by entities or other persons not covered entities or business associates. Therefore, HIPAA prevents no manager, supervisor, or HR person from asking for a doctor’s note if the note is needed to implement or administer sick leave, workers’ compensation, or health insurance. However, a health care provider cannot give such information directly to an employer without an authorization from the employee.