HIPAA Privacy in Emergency Situations

HIPAA Privacy in Emergency Situations
HIPAA Authorization in emergencies

OCR and Emergency Situations

The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on “HIPAA Privacy in Emergency Situations.” The  purpose of the bulletin was to assure that covered entities and their business associates know how protected health information.  Covered entities may share information during an emergency and that the privacy protections continue during emergencies. The OCR issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Due to to the outbreak this led many healthcare organizations to voice their concern regarding how best to keep their staff members safe.  In addition, there was much discussion about how to remain HIPAA compliant and not to disclose inappropriately patients’ protected health information (PHI).  Since then other public catastrophes such as hurricanes and extensive flooding have also created significant concern.  They want to now how to serve the communities’ healthcare needs and stay in compliance with the HIPAA rule.

Managing HIPAA Privacy in Emergency Situations

The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) has previously outlined how healthcare organizations can still follow HIPAA.  OCR gave guidelines on treating in the midst of public crisis and ensure that appropriate uses and disclosures of health information are made.  This allows them to treat patients, protect the nation’s public health and perform other critical functions.

The OCR stated, “The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission.”

The Privacy Rule allows covered entities to disclose necessary PHI without the individual’s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

Dealing with Family

Very importantly covered entities can also disclose information to family, friends and other involved in an individual’s care for notification purposes.  One may disclose information to identify, locate and notify family members, guardians or anyone responsible for the care of the patient.

HIPAA and Imminent Danger

OCR allows disclosure of information if there is imminent danger to the patient.  In addition, you may share if  the information will lessen serious or imminent threat to the health and safety of the patient.

Follow the HIPAA Privacy Rule

In any emergency situation covered entities must continue to use reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. In summary it is important for any covered entity to review and follow HIPAA Privacy in emergency situations.  This will allow them to continue to protect PHI even in a catastrophic situation.

For questions on these topics always feel free to contact us for clarification.