- The HIPAA Privacy Rule was designed to help keep protected health information (PHI) from becoming exposed or easily accessible to the public. But what happens in an emergency situation? When does the public’s safety trump the privacy of one individual?
That debate is currently underway in Texas, as a nurse who worked at Texas Health Presbyterian Hospital Dallas is now suing her former employer for allegedly violating her patient privacy, as well as not properly training her for emergency situations. Specifically, Nina Pham told the Dallas Morning News that the hospital “failed her” and her colleagues when a patient diagnosed with the Ebola virus was admitted back in Oct. 2014.
In terms of patient privacy violations, though, did the hospital actually do anything that went against HIPAA guidelines? While the impending court case will make the final decision, HealthITSecurity.com will break down the finer points of the HIPAA Privacy Rule, and discuss exactly what should happen in an emergency situation.
HIPAA privacy and patient consent
According to the HIPAA Privacy Rule, a covered entity is permitted – but required – to use and disclose PHI without the patient’s consent in certain situations:
- To the Individual (unless required for access or accounting of disclosures);
- Treatment, Payment, and Health Care Operations;
- Opportunity to Agree or Object;
- Incident to an otherwise permitted use and disclosure;
- Public Interest and Benefit Activities;
- Limited Data Set for the purposes of research, public health or health care operations.
Moreover, there are instances where covered entities need to obtain written consent from individuals. This is for what are referred to as “authorized uses and disclosures.” For example, a covered entity must get written consent to disclose psychotherapy notes and for marketing purposes. This includes “any communication about a product or service that encourages recipients to purchase or use the product or service.”
“A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value,” according to HHS.
Additionally, it must be revealed immediately if the marketing involves a covered entity’s receipt of direct or indirect remuneration from a third-party. Essentially, for certain disclosures of information, a healthcare provider or hospital needs to have a patient’s written consent to reveal their PHI. However, there are several instances where written consent is not required. This is where emergency situations fall into play.
Extra guidance from the OCR
When Ebola was making headlines in the US last fall, partly due to what was happening at the Texas hospital, the Office for Civil Rights (OCR) released its own guidelines. These were meant to further clarify the HIPAA Privacy Rule, and ensure that the public and covered entities understood exactly what was allowed and why it was allowed.
“The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” according to the OCR.
Moreover, it is important for public health authorities and facilities responsible for ensuring public health and safety to have access to PHI that helps them fulfill their mission to keep the public safe. For example, the Centers for Disease Control (CDC) or state health departments could be given that information. Along similar lines, a foreign government agency that is working with a public health authority can be privy to certain information.
Finally, notification can also be given to individuals who are at risk of contracting or spreading a disease. This will help dangerous diseases from spreading.
Even so, it is essential that the “minimum necessary” is kept, according to the OCR. Only the minimum amount of information necessary should be disclosed.
“For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum 3 necessary for the public health purpose. Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”
A key point to the HIPAA Privacy Rule discussed by the OCR is that a covered entity can share information about a patient “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.” This could even include the police, the press, and the general public.
That being said, the healthcare organization must still try and receive verbal permission from the patient. If the individual is deemed to be incapacitated, then a covered entity can disclose certain information if they decide that it is in the best interest of the patient.
Finding the right balance
HIPAA is meant to protect sensitive data from being public knowledge. However, covered entities need to also prevent serious or imminent threats to the health and safety of the public. It is not going to be easy to strike that perfect balance between patient privacy and public safety. Having current and comprehensive administrative, physical, and technical safeguards are key, as are having staff members fully educated on HIPAA rules. It is unlikely that a data breach or patient privacy violation will never occur, but covered entities must remain diligent in prevention.