HIPAA Compliance for Emergency Care
HIPAA compliance for emergency care professionals can be harder than for other healthcare professionals due to the behaviors of patients and their families during emergency events. We look at why this is the case and what Covered Entities can do to prevent unintentional HIPAA violations in emergencies.
In 2020, a study into “emotionally evocative patients in the emergency department […] and the implications for patient safety” found that patient behaviors and issues with hostile family members left the majority of emergency care professionals angry, frustrated, or irritated. Many professionals admitted failing to provide the best possible care or act professionally following an angry encounter.
The study backed up previous research suggesting that emotions can influence clinical reasoning and behavior, raised concerns that negative encounters could evoke negative emotions that could compromise patient safety in emergency situations, and concluded that emergency care professionals should receive additional training to promote awareness of emotional influences.
The Impact of Negative Encounters on HIPAA Compliance
Although there have been no studies on the impact of negative encounters on HIPAA compliance for emergency care professionals, it is not difficult to see how patient behaviors and issues with hostile family members might compromise HIPAA compliance – especially in potentially chaotic situations in which patients and family members may be panicked, anxious, and distressed.
In such situations, it is conceivable an angry, frustrated, or irritated emergency care professional might disclose more PHI than the minimum necessary or fail to “exercise professional judgement [if] a disclosure is determined to be in the best interests of the individual.” Although these situations can occur in any healthcare setting, they tend to be more prevalent in emergency care.
It can also be the case that rushed, flustered, or pressurized emergency care professionals take shortcuts with HIPAA compliance “to get the job done.” This theory aligns with several comments in the study acknowledging that patients were not given full assessments or examinations following negative encounters because the priority was to get them discharged.
Concerns about HIPAA Compliance for Emergency Care Professionals
Occasional “incidental disclosures” – in which more than the minimum necessary PHI is disclosed – are not violations of HIPAA if disclosures are incidental to a permitted disclosure and if safeguards are in place to limit incidental disclosures to a reasonable and appropriate level. It could also be argued that “best interest disclosures” are permitted, rather than required, so there may not be a violation of HIPAA if an emergency care professional fails to exercise professional judgement.
However, if incidental disclosures become more frequent, are not incidental to a permitted disclosure, or lead to a culture of non-compliance developing, this can result in an increased number of patient complaints, investigations by HHS´ Office for Civil Rights and enforcement action being taken against the Covered Entity responsible for the conduct of the emergency care professionals.
In this respect, it is important to be aware that the non-compliant actions of one healthcare professional can lead to others following suit. There are a number of examples in the study referenced above in which the anger, frustration, or irritation of one emergency care professional resulted in colleagues also failing to provide the best possible care or act professionally – even though they had not personally experienced the negative encounter.
Overcoming the Issue of HIPAA Compliance for Emergency Care Professionals
The Department of Health and Human Services acknowledges that HIPAA compliance can be challenging in circumstances in which patient safety has to take priority. Consequently, the Privacy Rule includes phrases such as “as soon as reasonably practical” in relation to some standards, while the Security Rule has a “flexibility of approach” that allows Covered Entities and Business Associates to implement measures that are “reasonable and appropriate” to their circumstances.
Nonetheless, Covered Entities are required to develop policies to protect the privacy of individually identifiable health information, train members of the workforce on the polices, and implement measures to maximize compliance with the policies. If it is subsequently discovered that a culture of non-compliance is developing, it will be necessary for Covered Entities to provide refresher training on HIPAA compliance for emergency care professionals to address any identified issues.
In many ways, this is a similar solution to the one recommended by the study reference above – that emergency care professionals should receive additional training to promote awareness of emotional influences. Indeed, as emotional influences can affect patient safety and HIPAA compliance, a single additional training course could overcome both issues simultaneously – thereby improving patient safety in emergency care while improving HIPAA compliance for emergency care professionals.