Waiver of Authorization: Exceptions When HIPAA Can be Broken

Are you aware of the HIPAA waiver of authorization and when it applies? The Health Insurance Portability and Accountability Act (HIPAA) outlines various patient privacy safeguards, including the HIPAA waiver.

The HIPAA waiver is allowed under the HIPAA Privacy Rule. It is a legal document that permits covered entities to use or disclose a patient’s protected health information (PHI), without individual authorization, to a third party when meeting specific conditions (1). 

If you work with PHI, it’s crucial to understand the waiver of HIPAA authorization and when HIPAA exceptions apply. 

Can HIPAA be Waived?

Under the limited conditions of the waiver of HIPAA authorization, healthcare professionals are permitted to disclose patient medical information to third parties, including researchers, lawyers, doctors, and relatives (1). 

With healthcare workers having the convenience of transferring patient PHI via email compared to having records mailed or faxed, the rising importance of healthcare privacy has evolved in the digital age. 

Protected health information (PHI--patient information covered under HIPAA) is maintained by a covered entity and is data that can be used to identify a specific patient. 

Covered entities include (1): 

  • Health plans  
  • Healthcare providers
  • Healthcare clearinghouses (a third-party system that interprets claim data between providers and insurance payers)

HIPAA Emergency Exception

The Privacy Rule authorizes HIPAA exceptions during emergencies when treating an individual patient or for public health safety. During such a situation, security becomes a top priority over patient privacy.

The HIPAA Privacy Rule is not suspended during a national or public health emergency. However, the Secretary of the Department of Health and Human Services (HHS) may waive specific HIPAA Privacy Rule requirements and the associated noncompliance sanctions. This comes as a result of the coronavirus and is permitted under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act (2).  

Two conditions must be fulfilled before the Secretary can put the Privacy Rule waiver into effect: 

  1. The President declares an emergency or disaster.
  2. The Secretary of HHS declares a public health emergency. 

In the case of coronavirus, both conditions were satisfied. 

According to the March 2020 COVID-19 & HIPAA Bulletin by the HHS, under the Privacy Rule waiver, the Secretary waives penalties and fines against a covered entity hospital that does not comply with specific provisions of the HIPAA Privacy Rule. These provisions are (2):

  • The requirements to obtain a patient's agreement to speak with relatives or friends involved in the patient’s care (45 CFR 164.510(b))
  • The requirement to honor a request to opt-out of the facility directory (45 CFR 164.510(a))
  • The requirement to distribute a notice of privacy practices (45 CFR 164.520)
  • The patient's right to request privacy restrictions (45 CFR 164.522(a))
  • The patient's right to request confidential communications (45 CFR 164.522(b))

When Can HIPAA be Broken?

According to the same COVID-19 & HIPAA Bulletin by the HHS, when the Secretary issues such a waiver, it only applies (2):

  1. In the emergency region and for the emergency timeline identified in the public health emergency declaration.
  2. To hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals, and 
  3. For up to 72 hours from the time the hospital implements its disaster protocol.

Even if 72 hours have not passed since the activation of the emergency protocol, the hospital is still obligated to adhere to all Privacy Rule standards for any patient that remains in its care after the Presidential or Secretarial declaration ends (2). 

The HIPAA Privacy Rule permits disclosures for treatment purposes and specific disclosures to emergency relief groups regardless of whether an emergency waiver has been implemented.

For example, the American Red Cross may receive patient records from covered entities under the Privacy Rule so that it can inform the patient's family of their location (45 CFR 164.510(b) (4)) (3). 

HIPAA Exceptions List 

The HHS states that a covered entity is allowed, but not obliged, to use and disclose PHI without a person's authorization in the following circumstances (1):

  • To the Individual (unless required for access or accounting of disclosures) 
  • Treatment, Payment, and Health Care Operations 
  • Opportunity to Agree or Object 
  • Incident to an otherwise permitted use and disclosure 
  • Public Interest and Benefit Activities
  • Limited Data Set for research, public health, or healthcare operations 

Regarding treatment, payment, and healthcare operations, use and disclosure made to facilitate another party's activity are subject to limitations. Exceptions are allowed for a covered entity to disclose PHI to (4): 

  • Any other provider (even a non-covered entity) to facilitate that provider's treatment activities.
  • Any covered entity or any provider (even a non-covered entity) to facilitate that party's payment activities. 
  • Another covered entity to facilitate some of that entity's healthcare operations.
  • Any additional covered entity within the same organized healthcare agreement for any healthcare operations arrangement. 

HIPAA Privacy Rule Exceptions 

The HIPAA Privacy Rule permits the following use and disclosure of PHI, even without a waiver of authorization (1): 

  • Oversight of the healthcare system 
  • Informing next of kin
  • Medical examiner
  • Facility Directories
  • For Notification and Other Purposes.
  • Required by Law
  • Public Health Activities
  • Victims of Abuse, Neglect, or Domestic Violence.
  • Health Oversight Activities
  • Judicial and Administrative Proceedings
  • Law Enforcement Purposes.
  • Identification of the deceased person or investigation
  • Cadaveric Organ, Eye, or Tissue Donation
  • Research
  • Serious Threat to Health or Safety
  • Essential Government Functions
  • Workers' Compensation 

As with other disclosures allowable under the Privacy Rule, except for disclosures for treatment reasons, information released under the Privacy Rule must always be the absolute minimum necessary and must employ reasonable safeguards to prevent unauthorized patient data use.

Moreover, healthcare workers must always apply their best judgment when determining when, what, and to whom to disclose an individual’s information. 

For more detailed information on the permitted use and disclosure of patient information, visit the U.S. Department of Health & Human Services (HHS) Summary of the HIPAA Privacy Rule webpage or learn more by signing up for one of our HIPAA courses