Are Emergency Notifications Systems for Business HIPAA-Compliant?
In most circumstances, emergency notification systems for business would not be used to share Protected Health Information (PHI); but if there was an event that required the communication of PHI, are emergency notification systems for business HIPAA-compliant?
Emergency notification systems for business are software platforms most commonly used to alert personnel to the risk of danger. Events in which such systems might be used include incoming hurricanes, chemical spills, active shooter events, and fires; and therefore it would be rare for Protected Health information (PHI) to be shared in the context of an emergency notification.
Furthermore, outside of the healthcare and healthcare insurance industries, businesses can generally share employees´ personal details via emergency notification systems because they are not covered by HIPAA regulations. Exceptions exist (i.e. self-insured group health plans), but it is hard to conceive a scenario in which a self-insured employer would share PHI in an emergency notification.
Emergency Notification Systems for Healthcare Organizations
Emergency notification systems for businesses in the healthcare and healthcare insurance industries should never be used to share PHI except in the exceptions mentioned below. This is because emergency notifications are sent via a variety of communication channels that are not considered HIPAA-compliant, and so the systems themselves would not be considered HIPAA-compliant.
In addition to emergency notification systems for business using non-compliant channels of communication such as SMS text, email, and social media, the systems do not comply with the technical specifications of the HIPAA Security Rule inasmuch as recipients´ devices do not have automatic log out or PIN lock capabilities. It is also not possible to retract previously sent notifications.
Exceptions for Sharing PHI via Emergency Notification Systems
Two exceptions exist for sharing PHI via emergency notification systems. The first is in the event of a severe public health emergency, when the Department of Health and Human Services may suspend the HIPAA Privacy Rule or elements of the Privacy Rule. These suspensions are usually time-limited and subject to specific conditions, and may only apply to certain individuals (i.e. hospital in-patients only).
The second exception is when an individual has given their consent in advance for their PHI to be shared with appropriate agencies during an emergency. In order for this exception to apply, the Covered Entity must obtain written consent and adhere to the “minimum necessary standard” – i.e. disclosing only the minimum necessary amount of information to accomplish the intended purpose of the disclosure.
Although – in theory – it is possible to extend this second exception to all patients, and obtain every patient´s consent in advance, this course of action is unlikely to be successful. A patient can revoke their consent at any time; and, as it is against HIPAA regulations to make health care treatment conditional on a patient providing consent, a situation could arise in which it is okay to disclose some patients´ PHI, but not others. In an emergency, healthcare organizations do not need additional administrative duties.