So you may have read an article on Slate saying that the President could only waive HIPAA after the Orlando terrorist attack if he declared a national emergency AND HHS declared a public health emergency. But if you read Becker’s Health IT and CIO Review, you learn that no, it didn’t really need to be waived, as HIPAA already has some emergency provisions:
… the HIPAA Privacy Rule does permit disclosing patient information in certain instances, regardless of whether an emergency waiver is activated. According to a bulletin from the Office for Civil Rights outlining HIPAA privacy in emergency situations, covered entities are permitted to disclose protected health information to family members, relatives, friends or others identified by the patient involved in the patient’s care. This includes information on the patient’s location, general condition or death. “If the individual is incapacitated or not available, covered entities may share information for these purposes if, in their professional judgment, doing so is in the patient’s best interest,” according to the bulletin.Though disclosure of certain types of information is permitted during emergencies, broader protections of the privacy rule are still in place.
This appears to be the case for the Orlando shooting, Kirk Nahra, a health privacy attorney in Washington, D.C., told Politico, adding covered entities should still take some precaution when sharing information.