The Privacy Rule protects individually identifiable health
information from uses and disclosures that unnecessarily
compromise the privacy of an individual. The Rule is carefully
designed to protect the privacy of health information, while
allowing important health care communications to occur.
These pages address common emergency preparedness issues related
to the release of protected health information for planning or
response activities. In addition, please view the Civil
Rights Emergency Preparedness page to learn how nondiscrimination
laws apply during an emergency.
Hospitals may release individually-identifiable patient
information to another hospital or health facility for the
purpose of diagnosis or treatment of a patient.
A hospital may release individually-identifiable patient
information to a public or private entity authorized by law or by
its charter to assist in disaster relief efforts, to notify, or
assist in the notification of (including identifying or
locating), a family member, a personal representative of the
patient, or another person responsible for the care of the
patient, of the patient’s location, general condition or
death.However, unless the following steps interfere with the
ability to respond to the emergency, the hospital must follow the
following steps before disclosing information if the patient is
present and has the capacity to make health care decisions:
Obtain the patient’s agreement to the disclosure;
Provide the patient with the opportunity to object to the
disclosure (if the patient objects, no disclosure may be made);
The hospital may reasonably infer from the circumstances
based on the exercise of professional judgment that the patient
does not object to the disclosure. If the patient is not present
or is unable to agree or object, then the hospital may determine
whether the disclosure is in the best interests of the patient
and, if so, disclose only the information that is directly
relevant to the disaster relief organization’s involvement with
the patient’s health care.
Note: a “public or private entity authorized by law or by its
charter to assist in disaster relief efforts” could include Red
Cross, other hospitals, first responders, etc.
Unless the patient has requested that information be withheld
(“no information” or “John Doe” patients, information about the
general condition (undetermined, good, fair, serious, critical,
deceased) and location of an inpatient, outpatient or emergency
patient may be released to other third parties only if the
inquiry specifically contains the patient’s name. This is the
maximum information that may be released under this provision of
the law (this provision is meant to allow visitors, clergy,
florists, etc. to find patients) – however, CHA recommends that
hospitals use their discretion when exercising this authority.
For example, it is reasonable to give a room number to a florist
who asks, “Which room is Bernice Hathaway in?” However,
disclosing this information to the media would likely not comply
with the HIPAA “minimum necessary” standard. And of course, a
hospital should not notify other third parties of a patient’s
death before the next-of-kin is notified.
If there are mass casualties, the spokesperson may release
basic patient information such as the aggregate number of
victims, their sex and their general conditions. However,
individually-identifiable patient information may not be released
without the patient’s consent.
Reference: California Civil Code Sections 56.10(c)(15),
56.1007, and 56.16; 45 C.F.R. Section 164.510 (a) and (b)(4).