Managing HIPAA Compliance During Natural Disasters
Hurricane season is upon us. Natural disasters, or emergencies involving mass casualties, can quickly overwhelm healthcare systems. The last thing on people’s minds in the midst of these situations is complying with the HIPAA Privacy Rule.
According to an article by Fred Donovan at HealthITSecurity.com, sometimes HHS steps in and issues a waiver of some HIPAA requirements. For example, during Hurricane Florence, HHS Secretary Alex Azar waived sanctions and penalties under certain HIPAA Privacy Rule provisions in the areas affected by the emergency. As a result, hospitals and other healthcare organizations were given a HIPAA waiver of up to 72 hours from the time they first implemented their disaster protocol.
But not all emergencies come with a reprieve from adherence to the federal law. During crises that do not include a HIPAA waiver, healthcare organizations that do not have a clear understanding of their obligations to patient privacy may risk liabilities and potential penalties for non-compliance.
During an emergency situation, healthcare organizations should seek a balance between disclosing patient information when necessary to respond to an emergency and protecting patient privacy. This balance should be incorporated into a health organization’s emergency preparedness and response plan.
The HIPAA Privacy Rule, even without a waiver, includes provisions designed to help healthcare organizations deal with emergencies.
“Those are the provisions that allow you to disclose information to law enforcement in order to identify people, to disaster assistance entities like The Red Cross, and to public health entities,” explained Melissa Markey, an attorney with the law firm of Hall, Render, Killian, Heath & Lyman.
“Those provisions apply all the time. You don't need to look for a waiver or notification from HHS to use those provisions,” Markey told HealthITSecurity.com.
Matt Fisher, a healthcare attorney at Mirick O'Connell, agreed that flexibilities are built into HIPAA. “HIPAA allows pretty broad use of PHI for treatment purposes or healthcare operations. Obviously, coordination of care in the instance of a hurricane or other natural disaster can be a big issue that needs the attention of healthcare organizations.”
In its Hurricane Florence bulletin, HHS said that the HIPAA Privacy Rule allows patient information to be shared without a waiver under the following conditions:
Treatment: Covered entities can disclose, without the patient’s authorization, PHI as necessary to treat the patient or to treat another person.
Public Health Activities: Covered entities can disclose PHI without authorization to a public health authority, to a foreign government at the direction of a US public health authority, and to people at risk of contracting or spreading a disease, state law permitting.
Disclosures to family, friends, or others involved in patient care: Covered entities can share PHI with a patient’s family, members, relatives, friends, or other people identified by the patient as involved in his or her care. They also can share information about a patient to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care. This information may include the patient’s location, general condition, or death.
Disclosures to prevent an imminent threat: Covered entities can share PHI to prevent or lessen a serious and imminent threat to the health and safety of an individual or the public at large. A provider may disclose a patient’s PHI to anyone who can prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.
Disclosures to media or others not involved in patient care: Covered entities may release limited facility directory information to acknowledge someone is a patient and provide basic information about the patient’s condition in general terms. However, this requires that the patient has not objected to or restricted the release of that information or, if the patient is incapacitated, that the covered entity believes release of the information is in the best interest of the patient and is consistent with any prior expressed preferences of the patient.
Minimum necessary: Covered entities must make reasonable effort to limit the information disclosed to the “minimum necessary” to accomplish the purpose.