The Privacy Rule protects individually identifiable health information from uses and disclosures that unnecessarily compromise the privacy of an individual. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.
These pages address common emergency preparedness issues related to the release of protected health information for planning or response activities. In addition, please view the Civil Rights Emergency Preparedness page to learn how nondiscrimination laws apply during an emergency.
Hospitals may release individually-identifiable patient information to another hospital or health facility for the purpose of diagnosis or treatment of a patient.
A hospital may release individually-identifiable patient information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the patient, or another person responsible for the care of the patient, of the patient’s location, general condition or death.However, unless the following steps interfere with the ability to respond to the emergency, the hospital must follow the following steps before disclosing information if the patient is present and has the capacity to make health care decisions:
Obtain the patient’s agreement to the disclosure;
Provide the patient with the opportunity to object to the disclosure (if the patient objects, no disclosure may be made); or,
The hospital may reasonably infer from the circumstances based on the exercise of professional judgment that the patient does not object to the disclosure. If the patient is not present or is unable to agree or object, then the hospital may determine whether the disclosure is in the best interests of the patient and, if so, disclose only the information that is directly relevant to the disaster relief organization’s involvement with the patient’s health care.
Note: a “public or private entity authorized by law or by its charter to assist in disaster relief efforts” could include Red Cross, other hospitals, first responders, etc.
Unless the patient has requested that information be withheld (“no information” or “John Doe” patients, information about the general condition (undetermined, good, fair, serious, critical, deceased) and location of an inpatient, outpatient or emergency patient may be released to other third parties only if the inquiry specifically contains the patient’s name. This is the maximum information that may be released under this provision of the law (this provision is meant to allow visitors, clergy, florists, etc. to find patients) – however, CHA recommends that hospitals use their discretion when exercising this authority. For example, it is reasonable to give a room number to a florist who asks, “Which room is Bernice Hathaway in?” However, disclosing this information to the media would likely not comply with the HIPAA “minimum necessary” standard. And of course, a hospital should not notify other third parties of a patient’s death before the next-of-kin is notified.
If there are mass casualties, the spokesperson may release basic patient information such as the aggregate number of victims, their sex and their general conditions. However, individually-identifiable patient information may not be released without the patient’s consent.
Reference: California Civil Code Sections 56.10(c)(15), 56.1007, and 56.16; 45 C.F.R. Section 164.510 (a) and (b)(4).