No, HIPAA was not waived in Orlando, and here's why

Story highlights

  • There was no waiver of medical privacy laws after the Orlando nightclub shooting
  • The Department of Health and Human Services said no waiver was necessary

(CNN)In the aftermath of the deadly shooting at Pulse, an Orlando gay bar, family and friends of wounded victims sought all the information they could about their loved ones' health. But there was mass confusion around medical privacy and the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.

Orlando Mayor Buddy Dyer said Sunday that he contacted the White House to "waive" HIPAA regulations so doctors could update shooting victims' loved ones about their conditions. Some news outlets even reported that the waiver was an unusual step for the federal government but important for gay rights.
    However, according to the U.S. Department of Health and Human Services, there was no "waiver" after all. It wasn't needed.
    Mayor: 50 dead in Orlando nightclub shooting
    Mayor: 50 dead in Orlando nightclub shooting

      JUST WATCHED

      Mayor: 50 dead in Orlando nightclub shooting

    MUST WATCH

    Mayor: 50 dead in Orlando nightclub shooting 01:10
    HIPAA allows doctors the flexibility to disclose limited health information to the public or media when appropriate, such as when a person may be in stable, serious or critical condition (PDF), Marissa Padilla, the department's principal deputy assistant secretary for public affairs, said in an email.
    Dyer's office confirmed Tuesday that, even though he requested for the waiver, the law itself was sufficient in allowing for the necessary information sharing.
    "These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition," Padilla said. "Disclosures are permissible to same sex, as well as opposite sex, partners."
    In other words, doctors can talk to a patient's family and loved ones without a "waiver." Nonetheless, health officials tend to err on the side of caution, as HIPAA violations can result in steep fines up to $50,000, as well as criminal penalties.
    Here are some questions and answers about how HIPAA really works.

    Can a HIPAA regulation ever be suspended or waived?

    HIPAA can be waived in the context of public health disclosures or if there is health care oversight, such as an audit. In other instances, regulations may be waived for health care research or law enforcement purposes, said Margaret Riley, a professor at the University of Virginia School of Law.
    "HIPAA is waived for the interests of a patient or for important health interests of another individual that cannot be provided in other ways with some frequency. Health providers are given discretion to make that call," Riley said.
    "I've seen a number of cases where individuals with a contagious disease -- and sometimes even with something like cancer -- did not want even family members to know," she added. "Usually, they can be convinced that the information will be disclosed carefully and minimally. If the disclosure is really needed to protect another individual's health or well-being, it will be disclosed even if the patient refuses."

    When might HIPAA provisions be lifted on a broad scale during a state of emergency?

    Though it's rare for HIPAA provisions to be lifted for an entire hospital or community, it's not impossible. If that were to occur, it would apply only after the White House had declared a public health emergency, and it would take effect in the emergency area for up to 72 hours.
    As written, the law allows patient information to be shared if it can assist in disaster relief efforts. This was seen during Hurricane Katrina in 2005, for instance, when patient information was shared with the American Red Cross so that those patients could receive the best care. The Department of Health and Human Services even released a bulletin during the disaster to emphasize how the HIPAA Privacy Rule allows patient information (PDF) to be shared during emergency situations.
    "It's designed, I think, to allow hospitals and emergency responders to exchange information, so you don't have to worry about transferring information in the case of bioterrorism or a mass casualty event," said Peter Jacobson, professor of health law and policy at the University of Michigan's School of Public Health.
    "To treat victims, you move people from one location to another. So you have to find out, what's their history? What specific medical requirements do they have? Where can they be sent to receive the treatment they need? If you don't have that, you would exacerbate the harms in a national emergency," he explained. "But the law's not set up as a procedure, as much as an allowance for public health officials to step in and say to the hospitals, 'disclose and share this information.'"

    In what other situations does HIPAA, as written, permit information to be shared?

    Information about a patient can be released whenever the patient may authorize it. A designated family member or loved one also can authorize the release of such information on a patient's behalf.
    Additionally, there are situations where authorization is not required. Those include whenever a patient may pose a public health threat, when law enforcement may need a patient's information or when a patient's information must be shared with another entity.
    "For example, HIPAA allows a doctor to release information to an insurance company to receive payment," said Craig Konnoth, a lecturer at the University of Pennsylvania Law School. "Many teens and young adults are on their parents' health insurance plans. There are plenty of examples of young women paying for contraception out of pocket, or young adults paying for STD-related matters out of pocket, to prevent their parents from learning about this aspect of their medical needs."

    Is the LGBT community uniquely affected by HIPAA?

    HIPAA allows doctors to provide information not only to a victim's legal spouse or relative but to a "close personal friend," which often would include a long-term partner for both heterosexual and homosexual couples.
    Join the conversation

    See the latest news and share your comments with CNN Health on Facebook and Twitter.

    However, Riley points out, because HIPAA breaches could result in serious penalties, many doctors might act cautiously and disclose information only to a patient's family member or legal spouse.
    "Although there is now marriage equality in all states, many in the LGBT community may not be legally married and yet have been in very close and long-term relationships," Riley said. "But because they aren't legally recognized as family, they may not be treated as such. That means that they may not be given visitation rights or even information about how their loved one is -- even though they may in reality be much closer to the patient than family members who are given access."
    Konnoth noted that such incidents sometimes could be a result of anti-LGBT prejudice. In 2008, Janice Langbehn's partner, Lisa Pond, suddenly collapsed in Miami and was admitted to Jackson Memorial Hospital, but Langbehn was denied visitation and even updates.
    "Ms. Langbehn reported that a hospital worker told her that she was in an 'anti-gay city and state,' " said Konnoth, who studies medical privacy and LGBT issues. "Langbehn's story led President Obama to issue a memorandum to the Department of Health and Human Services to issue regulations prohibiting such anti-gay discrimination in 2010. This was one of the first gay-protective actions of his administration."