Emergency notification systems for business are software services that are often implemented to alert personnel to the risk of danger. Situation that they are used include incoming hurricanes, chemical spills, active shooter events, and fires; and therefore it would be unusual rare for Protected Health information (PHI) to be shared in the context of an emergency alert.
In addition, outside of the healthcare and healthcare insurance sectors, businesses can generally share employees´ personal details through emergency notification systems because they are not included in HIPAA regulations. Exceptions are there (i.e. self-insured group health plans), but it is difficult to think of a scenario in which a self-insured employer would send PHI in an emergency notification.
Emergency Notification Systems for Healthcare Groups
Emergency notification systems for businesses in the healthcare and healthcare insurance sectors should never be used to share PHI except in the exceptions referred to here below. This is because emergency alerts are sent via a variety of communication channels that are not thought of as HIPAA-compliant, and so the systems themselves would not be though of as HIPAA-compliant.
Along with emergency notification systems for business using non-compliant channels of communication such as SMS text, email, and social media, the systems do not adhere to the technical specifications of the HIPAA Security Rule inasmuch as recipients´ devices do not have automatic log out or PIN lock available. It is also not possible to retract earlier sent alerts.
Exceptions for Sharing PHI over Emergency Notification Systems
Two exceptions are in place for sharing PHI via emergency notification systems. The first is during a severe public health emergency, when the Department of Health and Human Services may temporarily suspend the HIPAA Privacy Rule or elements of the Privacy Rule. These suspensions are usually time-restricted and subject to specific conditions, and may only apply to certain peoples (i.e. hospital in-patients only).
The second exception is when a pressed has given their permission earlier for their PHI to be shared with appropriate agencies during an emergency. In order for this exception to be active, the Covered Entity must obtain written consent and comply to the “minimum necessary standard” – i.e. sharing only the minimum necessary amount of information to achieve the intended purpose of the sharing.
Although it can be perceived that it is possible to extend this second exception to all patients, and obtain every patient’s consent on an earlier occasion, this route of argument is unlikely to be successful. A patient can withdraw their consent at any time; and, as it is against HIPAA legislation to make health care treatment conditional on a patient giving consent, a situation could arise in which it is okay to share a portion of a patients’ PHI, but not others. In an emergency, healthcare groups should not have to deal with additional administrative duties.