OCR Issues Guidance on HIPAA in Emergencies
The outbreak of Ebola has raised numerous issues of personal privacy and the information that should be disclosed in situations when there is a public health concern. Under HIPAA regulations, protected health information such as the diagnosis of a disease should remain private, and the disclosure of this information with the name of the patient can be a potential HIPAA violation.
The issue of sharing private information in an emergency situation is not addressed in the HIPAA privacy rule, although the Privacy Rule does cover what information can be shared. In cases where the sharing of patient information can aid the treatment of the patient or other patients, medical information can be disclosed without authorization.
The OCR explained that “Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.”
If an entity is covered by HIPAA it is permitted to submit medical information about a patient to public health authorities in cases where the information could be beneficial for disease control. There is also an obligation to report births and deaths and provide medical information in other situations in the context of public health surveillance and investigations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
As applies to cases of Ebola, medical centers and healthcare organizations are permitted to share information with government agencies in foreign countries to help control the spread of the disease. If a patient contracts an infectious disease they are not required to grant authorization for that information to be used to warn others to reduce the risk of transmission.
However, there are a number of instances where the disclosure of personal health information is not clear, which is why the guidelines need to be issued. One issue covered is the disclosure of PHI to the media and other entities with no involvement in the patient’s care or the notification process. In all cases, the information must be shared using a HIPAA-compliant messaging solution to ensure confidentiality.
The guidance covers situations where disclosure is permitted and also the information that should be released. It advises that information should be limited to that which is necessary to achieve its purpose. Guidelines for business associates are included and how even in cases of emergencies, safeguards must remain to protect the privacy of patients.
In emergencies, the HIPAA Privacy Rule remains in place although it is possible for the HHS to waive sanctions for a number of HIPAA privacy issues in emergency situations. However, until notification to the contrary is received, healthcare organizations and their business associates should continue to abide by the Security Rule.
