adimas - Fotolia
Do HIPAA compliance requirements change during health crises?
Outbreaks of Ebola caused widespread fear, but should enterprises be worried about the effect on HIPAA compliance requirements? Compliance expert Mike Chapple explains.
The U.S. Department of Health and Human Services (HHS) released a bulletin addressing the effects of the Ebola outbreak -- and other future medical emergencies -- on HIPAA compliance. Can you explain what the bulletin covers and if HIPAA-regulated organizations need to change any practices in particular?
The Ebola outbreak raised questions among healthcare providers about their responsibilities surrounding the sharing and safeguarding of patient information. During any health crisis, public health officials must share information to help mitigate the emergency, but all of this sharing must take place within the constraints of HIPAA. One line in the report sums up the situation well: "the protections of the Privacy Rule are not set aside during an emergency."
HIPAA compliance requirements allows the sharing of personal health information when it's required for treating patients or public health purposes. HIPAA grants broad authority to share information among healthcare providers when it's necessary to treat a patient -- either the patient who is the subject of the records or another patient. Providers may also disclose information to public health authorities at the federal, state or local level when needed for the purpose of preventing or controlling disease, injury or disability.
Healthcare providers may also share patient information with a patient's family, friends or others involved in their care. If the patient is capable of communication, providers should first get verbal permission from the patient or, at the very least, be able to reasonably infer that the patient does not object. If the patient is not able to communicate, they may share information if they feel it is in the patient's best interest.
HIPAA places much stricter restrictions on disclosures to the media or others not directly involved in the patient's care. Generally speaking, a provider may only acknowledge that an individual is a patient and a general description of his or her condition -- e.g. critical or stable, current patient, treated and released or deceased. Any other disclosures that involve personally identifiable information, such as test results or diagnoses require the written authorization of the patient or his representative.
The bottom line is in most cases, all provisions of HIPAA compliance continue to apply during a public health emergency. The Secretary of Health and Human Services may issue very limited waivers of HIPAA notification and consent requirements during a presidentially declared disaster, but those cases are few and far between.