OCR Issues Guidance on HIPAA in Emergencies

Share this article on:

The outbreak of Ebola has raised numerous issues of personal privacy and the information that should be disclosed in situations when there is a public health concern. Under HIPAA regulations, protected health information such as the diagnosis of a disease should remain private, and the disclosure of this information with the name of the patient can be a potential HIPAA violation.

The issue of sharing private information in an emergency situation is not addressed in the HIPAA privacy rule, although the Privacy Rule does cover what information can be shared. In cases where the sharing of patient information can aid treatment of the patient or other patients, medical information can be disclosed without authorization.

The OCR explained that “Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.”

If an entity is covered by HIPPA it is permitted to submit medical information about a patient to public health authorities in cases where the information could be beneficial for disease control. There is also an obligation to report births and deaths and provide medical information in other situations in the context of public health surveillance and investigations.

As applies with cases of Ebola, medical centers and healthcare organizations are permitted to share information with government agencies in foreign countries to help control the spread of the disease. If a patient contracts an infectious disease they are not required to grant authorization for that information to be used to warn others to reduce the risk of transmission.

However there are a number of instances where the disclosure of personal health information is not clear, which is why the guidelines needed to be issued. One issue covered is the disclosure of PHI to the media and other entities with no involvement in the patient’s care or the notification process. In all cases, the information must be shared using a HIPAA-compliant messaging solution to ensure confidentiality.

The guidance covers situations where disclosure is permitted and also the information that should be released. It advises that information should be limited to that which is necessary to achieve its purpose. Guidelines for business associates are included and how even in cases of emergencies, safeguards must remain to protect the privacy of patients.

In emergencies the HIPAA Privacy Rule remains in place although it is possible for the HHS to waive sanctions for a number of HIPAA privacy issues in emergency situations. However, until notification to the contrary is received, healthcare organizations and their business associates should continue to abide by the Security Rule. All covered entities are advised to read the new guidelines which are downloadable from the HHS website.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On