HIPAA Guidance for Emergencies Released by OCR
It often takes an emergency situation to realize that policies and procedures are not adequate, and the recent outbreak of Ebola clearly highlighted issues with current legislation, prompting the OCR to issue HIPAA guidance for emergencies. The new guidance will help HIPAA-covered entities to avoid Privacy Rule violations when reacting to emergency situations, and provides further clarification of the rules covering the disclosure of PHI that is in the public interest.
While the HIPAA Privacy Rule details what information can be shared, under what circumstances, and with whom, there is no provision for emergency situations, such as the outbreak of highly infectious diseases.
Under the Privacy Rule, information about a patient who has caught Ebola for example, could not be released unless he had given prior authorization. However, if the sharing of that information could potentially save lives; such as allowing people he had been in contact with to be quarantined or receive early medical treatment, then the details should be revealed.
The OCR provided further information on the classification of “treatment” in the HIPAA Privacy Rule as including “The coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment.”
The guidelines state that in situations that would be beneficial for disease control, covered entities are permitted to share information with public health authorities. The information which can be shared can include medical information that will assist with treatment and disease control, although this should be limited to the minimum data necessary to achieve that purpose.
The OCR also covered other situations in its HIPAA guidance for emergencies when PHI sharing is possible under the Privacy Rule, such as reporting births and deaths as part of public health surveillance programs and law enforcement investigations.
In the case of pandemic outbreaks of highly contagious diseases, Ebola being a good example, healthcare providers are allowed to share information about the patients – without prior approval – not only with local public health authorities, but also those in other countries.
The guidance covers situations where disclosure is permitted and also the information that should be released. It advises that information should be limited to that which is necessary to achieve its purpose.
Guidelines for business associates are included and how, even in cases of emergencies, safeguards must remain to protect the privacy of patients.
The OCR HIPAA Guidance for Emergencies can be downloaded from the Department of Health and Human Services website.