The U.S. Department of Health and Human Services Office for Civil Rights has put out a bulletin to ensure that HIPAA-covered entities and their business associates are aware of the ways in which patient information can be shared in an emergency situation.
The bulletin comes in response to the Ebola outbreak and is designed to provide those in the healthcare industry with a reminder that the protections of the Privacy Rule must still be adhered to even in an emergency situation.
Many healthcare facilities found themselves the target of media inquiries with requests to provide information about who these patients were, how they were being treated, etc.
Under HIPAA, a healthcare facility cannot disclose information about individual patients without authorization from that patient. However, HHS outlined some exceptions related to public health emergencies that, in some cases, allow some flexibility around information sharing in an effort to protect the nation’s public health. The latest guidance is an attempt by HHS to strike a balance between a patient’s right to privacy and the need to protect public health.
For example, under the Privacy Rule covered entities may disclose, without a patient’s authorization, protected health information as necessary to treat the patient or to treat a different patient.
The rule notes: “A covered entity may disclose to the Centers for Disease Control and Prevention protected health information on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola virus disease.” The rule also allows the covered entity to notify those at risk of contracting or spreading a disease or condition to prevent the spread of the illness or to carry out public health interventions or investigations.
The rule also allows disclosures to the patient’s family, friends and others involved in an individual’s care.
When it comes to healthcare providers, they “may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public – consistent with applicable law – such as state statutes, regulations, or case law – and the provider’s standards of ethical conduct.”
With respect to media inquiries, “upon request for information about a particular patient by name, a hospital or other healthcare facility may release limited facility directory information to acknowledge an individual is a patient at the facility and provide basic information about the patient’s condition in general terms – for example, critical or stable, deceased, or treated and released.”
Business associates of a covered entity, including a subcontractor, may make disclosures permitted by the Privacy Rule, such as to a public health authority, on behalf of a covered entity or another business associate to the extent authorized by its business associate agreement.
HHS may waive certain HIPAA privacy rule provisions, both sanctions and penalties, for covered entities. These waivers would take effect if first the President declared an emergency and then the HHS Secretary declared a public health emergency.
The waivers include:
- Requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
- Requirement to honor a request to opt out of the facility directory
- Requirement to distribute a notice of privacy practices
- The patient’s right to request privacy restrictions;
- The patient’s right to request confidential communications.
Click here to read the full bulletin.