- No healthcare organization wants to compromise patient privacy, and HIPAA rules were designed to ensure that this does not occur.
Covered entities of all sizes should understand how the HIPAA Privacy Rule applies in various situations. There is a critical balance that must be found, guaranteeing that appropriate uses and disclosures of information can be made when necessary to treat a patient, but also to protect the nation’s public health.
Understanding emergency disclosure
Healthcare organizations are permitted, but not necessarily required, to use and disclose PHI without the patient’s consent in certain situations. These include the following:
- To the individual (unless required for access or accounting of disclosures);
- Treatment, payment, and healthcare operations;
- Opportunity to agree or object;
- Incident to an otherwise permitted use and disclosure;
- Public interest and benefit activities;
- Limited data set for the purposes of research, public health or health care operations.
For the purposes of this discussion, we will focus on the public interest aspect, as that closely relates to emergency situations and how HIPAA rules must be followed.
Typically, a healthcare provider or hospital needs to have a patient’s written consent to reveal their PHI. However, there are several instances where written consent is not required.
In November 2014, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released an emergency bulletin clarifying how HIPAA rules apply in emergency situations.
Patient information can be shared for treatment of a patient, and also as “necessary to carry out their public health mission.” For example, a covered entity could disclose PHI to a public authority, such as the Centers for Disease Control (CDC), or a state or local health department.
Moreover, PHI disclosure could be made at the direction of a public health authority, to a foreign government agency, or to persons at risk of contracting or spreading a disease or condition. Family members, friends, and others involved in an individual’s care may also receive information, according to OCR.
A covered entity may share protected health information with a patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care. A covered entity also may share information about a patient as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death. This may include, where necessary to notify family members and others, the police, the press, or the public at large.
Another critical aspect to the emergency disclosure is that of “imminent danger,” which is where healthcare providers may share PHI “as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.”
However, this disclosure must still align with any applicable law, such as case law or state statutes. An organization should also remain consistent with its own ethical conduct standards.
Disclosures can also be made to the media, and others not directly involved in a patient’s care. Even so, OCR cautions that the disclosure of “specific tests, test results or details of a patient’s illness, may not be done without the patient’s written authorization (or the written authorization of a personal representative who is a person legally authorized to make healthcare decisions for the patient).”
The “minimum necessary” is also a key component to PHI disclosure. Covered entities should ensure that they are making reasonable efforts to limit the amount of information released.
“For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum necessary for the public health purpose,” OCR explains.
Protecting patient privacy
As previously mentioned, it is important for healthcare organizations to find the right balance between keeping PHI secure, while also working toward proper public safety.
“In an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures,” the emergency bulletin maintains. “Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”
HIPAA rules are not suspending during a public health emergency or other type of emergency situation. Should the President declare an emergency or disaster, and the HHS Secretary declares a public health emergency, then the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain HIPAA Privacy Rule provisions.
However, this type of waiver only applies in the following instances:
- In the emergency area and for the emergency period identified in the public health emergency declaration
- To hospitals that have instituted a disaster protocol
- For up to 72 hours from the time the hospital implements its disaster protocol.
When these types of declarations end, OCR adds that providers have to comply with all Privacy Rule requirements for patients in their care, “even if 72 hours has not elapsed since implementation of its disaster protocol.”
Even in emergency situations, OCR underlined the fact that HIPAA rules only apply to covered entities and their business associates.
Healthcare organizations need to prevent serious or imminent threats to the health and safety of the public, but also keep patient privacy a top priority. Finding the proper balance will not be easy, but regularly reviewing federal guidelines from OCR and HHS will help entities fine tune their procedures.
- Protecting Patient Privacy While Keeping Families Informed
- Patient Right of Access: Breaking Down HIPAA Rules