HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Compliance and Urgent Care

Due to the emotions that can manifest during emergency events, HIPAA compliance and urgent care do not go hand-in-hand. It can also be the case that shortcuts are taken with compliance during emergency events in order to administer urgent care as quickly as possible. Unfortunately, these factors can lead to multiple HIPAA violations.

Recently, there has been an increasing amount of research done into the role of emotions in clinical decision-making and patient safety in urgent care settings. The conclusions tend to be that more needs to be done via training initiatives “to promote awareness of emotional influences and consider strategies for managing these influences”.

While HIPAA compliance does not have the same importance as optimizing patient safety, it too can be influenced by emotions. This is especially true in the context of HIPAA compliance and urgent care due to the serious nature of injuries treated in urgent care environments and the emotions of patients and family members, as well as those of healthcare professionals.

When emotions from any source influence how a patient is treated – for example, by taking shortcuts “to get the job” done – this can lead to non-compliance with the HIPAA Privacy Rule. This article discusses areas of the Privacy Rule that healthcare professionals need to be particularly aware of in emotive emergency situations.

Privacy Rule HIPAA Compliance and Urgent Care

There are three primary areas of the HIPAA Privacy Rule that healthcare professionals need to be particularly aware of in emotive emergency situations – disclosing more than the minimum information necessary, incidental disclosures of health information, and failing to give a patient an opportunity to agree or object to a disclosure.

The Minimum Necessary Standard

The minimum necessary standard stipulates that Covered Entities are required to make reasonable efforts to ensure that uses and disclosures of Protected Health Information are limited “to the minimum necessary to accomplish the intended purpose of a particular use or disclosure”.

Although the minimum necessary standard does not apply to disclosures among healthcare professionals for treatment purposes, it does apply to disclosures to other members of the Covered Entities workforce and to family, relatives, and friends of the patient.

Incidental Disclosures of Health Information

Infrequent incidental disclosures of health information are not HIPAA violations if they are incidental to a permitted disclosure of health information, if the minimum necessary standard was applied in the permitted disclosure, and if safeguards are in place to limit incidental disclosures.

However, if incidental disclosures are allowed to develop into a “cultural norm”, if they result in the disclosure of more than the minimum necessary health information, and if no safeguards are in place to prevent them, they become HIPAA violations potentially subject to enforcement action.

The Opportunity to Agree or Object to a Disclosure

Between the permissible disclosures of health information and those requiring patient authorization, there is a gray area of compliance in which patients should be given the opportunity to agree or object to (for example) their name being added to a facility directory for notification purposes.

While the Privacy Rule gives healthcare professionals leeway to “exercise their professional judgement [if] the use or disclosure is determined to be in the best interests of the individual”, this should not be interpreted as an excuse to bypass this area of the HIPAA requirements.

Overcoming the Challenges of HIPAA Compliance in Urgent Care

In many emergency situations, it is impractical to comply with HIPAA and prioritize patient safety. HIPAA acknowledges this – hence some clauses of the Privacy Rule allow Covered Entities to comply with specific requirements “as soon as reasonably practicable” or implement measures that are “reasonable and appropriate” to the circumstances.

Nonetheless, if liberties are taken with the language of the Privacy Rule, it could result in liberties being taken elsewhere – potentially resulting in patient complaints to HHS´ Office for Civil Rights, compliance investigations, and financial civil penalties and/or the imposition of a Corrective Action Plan. In some states, State Attorneys General can impose further civil penalties.

The way for Urgent Care Centers, ERs, and other emergency clinics to overcome the challenges of HIPAA compliance in urgent care is to assess the risks to Protected Health Information on a regular basis, organize regular HIPAA refresher training sessions, and enforce sanctions on members of the workforce that regularly allow emotions to influence their compliance with the HIPAA Privacy Rule.