- While HIPAA regulations are something that all covered entities need to incorporate in daily operations, it is not always simple to understand how those federal regulations apply to certain situations. For example, when there is potentially a danger to the public in terms of public health, does that mean that an individual’s privacy is no longer important? What happens to the HIPAA Privacy Rule during a pandemic?
This week, HealthITSecurity.com will review the importance of HIPAA compliance in emergencies, and how covered entities - and their business associates - are still expected to remain compliant in unusual situations. It is difficult to find the right balance between maintaining patient privacy and keeping the public safe. However, there are tools in place designed to help healthcare organizations keep their policies current and compliant.
Are HIPAA regulations waived in emergencies?
HIPAA compliance is not waived or altered when an emergency takes place. For example, when there was concern across the US last year due to the Ebola virus, that did not give hospitals the immediate right to necessarily publicize patient information.
However, the Department of Health and Human Services (HHS) Secretary can waive some Privacy Rule provisions because of an aspect of the Social Security Act. Specifically, the Secretary can waive sanctions and penalties against a covered hospital that does not comply with certain HIPAA Privacy Rule provisions. This can be done if the President declares an emergency and the Secretary declares a public health emergency.
Requirements for this include:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care.
- the requirement to honor a request to opt out of the facility directory
- the requirement to distribute a notice of privacy practices
- the patient’s right to request privacy restrictions
- the patient’s right to request confidential communications.
As previously mentioned, concern over the Ebola virus in the US was very high toward the end of last year. Because of this, HHS released a bulletin on the importance of HIPAA privacy in emergency situations. In this release, HHS reiterated the fact that the Privacy Rule “is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.”
Moreover, HIPAA regulations account for public health authorities - and others responsible for ensuring public health and safety - needing to have access to PHI that is “necessary to carry out their public health mission.”
The bulletin did not state anything new about HIPAA regulations, but instead reiterated certain aspects of them to ensure that covered entities and business associates understood how to handle patient PHI in emergencies.
“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” HHS explained in its bulletin. “Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
Why would PHI even need to be shared?
To better understand the balance of patient privacy and the public’s well-being in emergencies, it is important for healthcare organizations to know why patient PHI would even need to potentially be shared.
Patient PHI could be shared as necessary to treat that patient or another one, according to HHS. Information can also be given to a public authority, such as the Centers for Disease Control and Prevention (CDC) or a local health department, “for the purpose of preventing or controlling disease, injury or disability.” This means that a hospital could still be within HIPAA regulations to disclose PHI to the CDC during an outbreak of a virus, such as Ebola.
PHI can also be disclosed “at the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority,” according to HHS. Also in terms of public health activities, information could be shared to individuals who are at risk of contracting or spreading a disease. This could potentially include friends or family members of a patient.
Imminent danger is another key situation when PHI could be shared, according to HHS. Specifically, data could be shared “with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law (such as state statutes, regulations, or case law) and the provider’s standards of ethical conduct.”
Even with these potential scenarios, HHS cautioned in its bulletin that the “minimum necessary” still needs to be in effect:
Covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose. For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose.
Overall, it is important to remember that only covered entities and business associates need to adhere to the HIPAA Privacy Rule. Business associates may make PHI disclosures permitted by the Privacy Rule, such as to a public health authority in emergencies. Certain state or federal rules may apply, but the Privacy Rule “does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired).”