In light of an emergency situation like the Ebola outbreak, the U.S. Department of Health and Human Services (HHS) has provided a bulletin to ensure that HIPAA covered entities and their business associates are aware of the ways in which patient information may be shared under the HIPAA Privacy Rule. While sections of it are vague and open to interpretation, it generally serves as a reminder that the protections of the HIPAA Privacy Rule are not set aside during an emergency.
One of the goals of the HIPAA Privacy Rule is that it protects the privacy of patients’ health information (PHI), yet is balanced to ensure appropriate uses and disclosures of the information when necessary. These instances can occur when treating a patient, protecting the nation’s public health, or other critical purposes.
Sharing Patient Information in an Emergency
Under the Privacy Rule, covered entities may reveal PHI if it is deemed necessary to treat the patient or a different patient, even without a patient’s authorization. The HIPAA Privacy Rule also allows covered entities to release PHI without a patient’s authorization to a public health authority like the Centers for Disease Control and Prevention (CDC) or a state or local health department.
For example, a covered entity can release to the CDC PHI of patients who have been exposed, suspected, or confirmed to be carrying the Ebola virus.
Disclosures to Family, Friends and Caregivers
A covered entity is allowed to share PHI with a patient’s family, relatives, friends or caregivers. Where it gets interesting however, is that the Privacy Act also allows a covered entity to notify the police, the press, or the general public in its attempt to track down family, friends or caregivers of a patient in an emergency. Under these circumstances, the covered entity should first get verbal permission from a patient to do so. But if it cannot, the covered entity may still release the information and remain in HIPAA compliance if in their professional judgement, doing so is in the patient’s best interest.
Disclosures to Disaster Relief Organizations
In addition, a covered entity can also share PHI with disaster relief organizations like the American Red Cross. Furthermore, patient authorization to share protected health information is not required if doing so would interfere with the Red Cross’ ability to respond to the emergency.
Disclosures to the Media
In general, a hospital or health care facility may not release information about a patient to the media without a patient’s written authorization. Where it gets confusing are instances where the Privacy Act allows exceptions to the rule. They are:
- If a patient is incapacitated, a covered entity may release their information to the media if the disclosure is believed to be in the best interest of the patient.
- Limited circumstances such as when disclosure to the media is thought to be necessary to notify relatives, friends and caregivers of a patient’s location and general condition.
Role of Business Associates in an Emergency
As covered in a previous post, a business associate is an entity that performs certain activities that involve the use or disclosure of PHI on behalf of a covered entity. In an emergency situation like the Ebola outbreak, a business associate is allowed to release information to a public health authority on behalf of a covered entity to the extend it’s authorized by its business associate agreement.
Emergency Declaration by the President
If the President declares an emergency or disaster and the Secretary of HHS follows suit by declaring a public health emergency, a special situation arises for a limited time. For a period of up to 72 hours, penalties against a hospital may be waived for breaking the following sections of the HIPAA Privacy Rule:
- Requirement to obtain patient consent to speak with family, friends, or caregivers.
- Requirement to honor a patient’s request to opt out of a facility directory.
- Requirement to supply a notice of privacy practices.
- A patient’s right to request privacy restrictions.
- A patient’s right to ask for confidential communication.
In an emergency situation, covered entities and their business associates must continue to use reasonable safeguards to protect PHI. In addition, they must continue to apply administrative, physical and technical safeguards of the HIPAA Security Rule to electronic PHI. When an emergency situation occurs the rules become confusing as exceptions begin to arise. Thankfully, the HHS has provided some guidance and we hope this article helped you make sense of it.