The HIPAA Act aims to safeguard patient privacy and make healthcare more efficient in the U.S. The act also permits healthcare professionals to share patients’ protected health information (PHI) at certain times. One such time might be during an emergency.
In such a situation, sharing PHI might be required to ensure that patients (and the public) are taken care of quickly and safely. How and what type of PHI healthcare organizations can share depends on the emergency.
Learn about: Patient consent: What you need to know
What is an emergency to HIPAA?
A (health) emergency, according to HIPAA, is a situation that requires immediate medical attention or public health intervention. It often involves imminent danger. Such emergency situations include, but are not limited to, accidents, life-threatening medical conditions, natural disasters, disease outbreaks, accidents and injuries, and mental health crises. A recent example of a declared health emergency was COVID-19.
Generally, the HIPAA Privacy Rule is not suspended during an emergency. The rule establishes standards for the protection of individuals’ medical information even during an emergency. The goal is to continue to protect patients and PHI privacy while still balancing appropriate use and disclosure.
What happens if an emergency is declared?
The U.S. President must declare an emergency or disaster and the U.S. Secretary of the Department of Health and Human Services (HHS) must declare a public health emergency. Then, the HHS Secretary can suspend certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 and section 1135(b)(7) of the Social Security Act. These provisions are:
- The requirement to obtain a patient’s agreement to speak with family or friends
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient’s right to request privacy restrictions
- The patient’s right to request confidential communications
In addition, HHS can waive certain sanctions for breaking HIPAA’s rules, such as fines associated with violations. When an emergency declaration ends, healthcare organizations must demonstrate complete HIPAA compliance again. If healthcare covered entities and business associates don’t comply at this point, they could face HIPAA violations.
PHI shareable in an emergency
Once an emergency is declared, PHI can be shared without written patient authorization in several instances. These include for treatment (when a patient is incapacitated), in the event of an outbreak or disaster (when there is an imminent threat to an individual or the public), and when a crime occurs or a court order is presented. PHI is also shareable during an emergency to better organize relief during a natural disaster and to share data in a directory to help with a patient’s whereabouts.
The type of PHI shared depends on the emergency and the data needed:
- Basic demographic information, such as an individual's name, address, date of birth, and gender, for identification purposes
- Medical information related to an incident, such as injuries sustained or medical conditions observed, for treatment purposes
- Information about criminal conduct, such as injuries resulting from criminal activity or other health-related details pertinent to an investigation
- Information about victims of a crime pertinent to an investigation
- Information about suspects, such as a physical description or a medical condition, that could aid in identification or apprehension
- Information related to the cause of a death
Read more: Understanding permissible disclosures in an emergency
HIPPA’s minimum necessary standard
What PHI to share in an emergency must still follow the minimum necessary standard. The rule requires healthcare entities to limit PHI use and disclosure to the smallest amount needed. HIPAA enacted the guideline to encourage patient privacy and trust, reduce the risk of unauthorized disclosures, improve HIPAA compliance, and promote the efficient use of healthcare resources.
The idea behind ‘minimum necessary’ is to balance patient confidentiality with the need to access and share information for appropriate patient care. Even in an emergency, a healthcare professional must make reasonable efforts to limit the information disclosed.
Health professionals are encouraged to use discretion and consider what information is relevant and required for every situation. Simultaneously, those who receive PHI, in an emergency or not, must also make a reasonable effort to keep the information safe.
Best practices for sharing PHI in an emergency
Sharing permissible disclosures in emergency situations must be done securely to protect patient privacy and comply with HIPAA regulations. Here are some best practices for sharing PHI securely and compliantly in an emergency.
Establish clear procedures for emergencies to ensure patient privacy.
Set clear data collection and disclosure policies including an in-house guide on what constitutes ‘minimum necessary’ information.
Update all policies and procedures regularly.
Utilize encryption and strong access controls to secure PHI, along with other technical and physical safeguards, as needed.
Transmit PHI only through secure methods, such as HIPAA compliant email.
Train staff on cybersecurity as well as emergency preparedness.
Implement auditing and monitoring systems and review the information regularly.
Ask all business associates and vendors to sign business associate agreements (BAAs) for added security.
In an emergency, covered entities and business associates must continue to use reasonable safeguards to protect PHI. This especially includes scrutinizing what PHI to share and how to share it before releasing the information.
Kapua Iao
