Skip to main content

HHS Releases HIPAA Bulletin in Wake of California Wildfires

Analysis  |  By Revenue Cycle Advisor  
   September 01, 2020

When the PHE declaration is terminated, CEs must comply with all the normal requirements of the HIPAA Privacy Rule for any patient still under its care.

A version of this article was first published September 1, 2020, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.

Following the public health emergency (PHE) declaration in the state of California due to wildfires, HHS released a bulletin covering HIPAA waivers and disclosures during emergency situations.

Under PHE circumstances, HHS Secretary Alex Azar has exercised the authority to waive sanctions and penalties against a covered entity (CE) that does not comply with the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • The requirement to honor a request to opt out of the facility directory
  • The requirement to distribute a notice of privacy practices
  • The patient’s right to request privacy restrictions
  • The patient’s right to request confidential communications

The waiver applies only in the emergency area during the PHE, to hospitals that have instituted disaster protocol, and for up to 72 hours from the time the hospital implements its disaster protocol.

When the PHE declaration is terminated, CEs must comply with all the normal requirements of the HIPAA Privacy Rule for any patient still under its care.

In the bulletin, HHS also highlighted how the HIPAA Privacy Rule allows patient information to be shared in emergency situations, even in the absence of a waiver.

Under the Privacy Rule, CEs are permitted to disclose protected health information (PHI) with or without a patient’s authorization if the disclose is necessary to treat the patient or another person who may be affected by the same emergency situation.

The Privacy Rule also enables CEs to disclose PHI without individual authorization to public health authorities such as the Centers for Disease Control and Prevention or a state or local health department for the purpose of preventing or controlling disease, injury, or disability.

In addition, CEs can make disclosures to family, friends, and others involved in an individual’s care. Information may be shared about a patient to identify and locate the patient.

The bulletin notes that disclosures to the media should be limited to facility directory information and basic information about the patient’s condition if the patient has not objected to the release of such information. Except in limited circumstances, CEs cannot disclose to the media or public specific information about the treatment of an identifiable patient—such as specific test results or details of the patient’s illness or injury—unless the patient or a personal representative has provided written authorization.

For more information on HIPAA disclosures in emergency situations, see the HHS bulletin.

Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.

Photo credit: 08/23/2020,California:Hundreds of wildfires are burning across California leading thousands to evacuate –amid a scorching heat wave that is now in its second week. / Editorial credit: StratosBril /

Get the latest on healthcare leadership in your inbox.