Are You Ignoring HIPAA Compliance During Emergencies?

Here Is What You Need To Know About HIPAA Compliance During Emergencies

Whether it’s a flash flood or a ransomware attack, you never know disaster will strike your healthcare organization. Your top priority during an emergency is likely your patients – as it should be.

However, as a healthcare professional in the modern world, you don’t have the luxury of only worrying about your patients. You need to be thinking about HIPAA compliance too.

The question is – when disaster strikes, do you know what it means to be compliant?

The Reality Of HIPAA Compliance During Emergencies

You may be thinking, “shouldn’t HIPAA compliance be put on the back burner when my practice gets hit with a disaster?”

The answer? Sometimes.

When the disaster is of sufficient severity, the HHS will issue a waiver for affected organizations. For example, during Hurricane Florence, HHS issued a waiver of HIPAA requirements for healthcare organizations along the Carolina coast.

In that instance, a number of HIPAA stipulations were waived for a 72-hour period:

  • Requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care
  • Requirement to honor a request to opt-out of the facility directory of patients
  • Requirement to distribute a notice of privacy practices
  • Patient’s right to request privacy restrictions
  • Patient’s right to request confidential communications

However, while there are examples like this that you can cite, they’re more the exception than the rule. You can’t hope that an emergency is so dire that HHS will let you off the hook. You need to stay compliant, no matter what happens.

The HIPAA Privacy Rule & Emergencies

Even though you can’t count on a waiver, HIPAA does provide a few provisions for organizations affected by emergencies. Namely, patient information can be shared without a waiver if the following conditions are met:

  • Treatment: If disclosure of PHI is necessary for the treatment of the patient or another person, patient authorization is not required.
  • Public health activities: PHI can be disclosed without patient authorization to public health authorities, foreign governments, and people at risk of contracting/spreading disease.
  • Disclosure to family & friends: PHI can be disclosed with authorization to family members, friends, relatives, others identified by the patient as involved in care. This info can also be shared in order to locate the parties listed above.
  • Disclosure to prevent imminent threat: PHI can be disclosed without authorization if it is to prevent a serious or imminent threat to the health and safety of an individual or the public at large.
  • Disclosure to media or those not involved in care: Limited facility directory info can be released if it is done so in order to acknowledge that someone is a patient. They can also provide basic information about the patient’s condition in general terms.However, to do so the covered entity requires that the patient has not objected to this action or restricted the release of their information. If the patient is incapacitated, the covered entity must believe the release of info is in the best interest of the patient.
  • Minimum necessary: Any and all disclosed info must be the “minimum necessary” in order to accomplish the intended purpose.
  • Business associates: Business associates may disclose patient information in line with the Privacy Rule to a public health authority on the covered entity’s behalf, so long as it is covered by the business associate agreement.

How Should You Maintain HIPAA Compliance During An Emergency?

The bottom line, as always with HIPAA, is to know what you’re dealing with and to have a plan before it is needed. In the event of an emergency, follow the standard provisions offered to you, and if a waiver should be issued, be sure to work within its stipulations as well.

Like this article? Check out the following blogs to learn more:

11 Ways You Can Benefit From Assisted IT Services

Managed IT Helps Your Bottom Line: 6 Ways How

5 Ways Managed IT Services Is the Right Choice for Your Business