The HIPAA Privacy Rule in Emergency Situations
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by covered entities and business associates of covered entities. PHI is defined as any information held by a covered entity that contains health status, health care provisions, or payments that can be linked to an individual. Learn more about specific PHI covered under HIPAA right here.
Why Can PHI Be Shared in Emergency Situations?
On November 10th of this year, the Department of Health and Human Services issued a bulletin stating that the HIPAA Privacy Rule "protects the privacy of patient's health information (PHI) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation's public health and for other critical purposes." Therefore, in public health emergency situations, such as the recent Ebola outbreak or Hurricane Katrina in the United States, the HIPAA Privacy Rule may allow for disclosure of PHI without a patient's permission in order for patients to get the urgent care they need. Providers and health entities covered by the HIPPA Privacy Rule may allow the sharing of patient information in the following ways:
PHI may be shared with other physicians, referring patients for treatment or coordinating care with disaster relief workers or other appropriate health services in emergency situations. Providers can also share information if it is necessary to receive payment for services rendered in the emergency situation.
In order to properly identify, locate and notify family members, guardians, or anyone associated with the care of a patient in a disaster situation, health information may be shared by healthcare providers or covered entities.
Media Disclosures + Information Limits
In events such as car accidents, PHI can be disclosed by healthcare facilities and covered entities to media organizations in limited means, which is defined as the patient's general condition (as long as the patient does not deny consent or is incapacitated). In emergency and/or disaster situations such as the Ebola outbreak, PHI may be released to the public, press or the police by the healthcare facility if it risks harm and promotes caution to the general public. Again, information can only be produced in limited form "to protect the nation's public health" and "prevention or control of a particular disease, injury or disability."
III. Imminent Danger
As touched on above, providers are allowed to share PHI if necessary to prevent or lessen a serious danger or threat of said patient or the general public. The American Red Cross, which is authorized to assist citizens in the event of disaster relief needs, is allowed to obtain any medical information deemed necessary to care for victims and prevent future tragedy to others of a particular emergency situation. The ultimate goal is to keep the health and safety of citizens as the first priority by healthcare workers.
IV. Facility Directory
According to the Department of Health and Human Services, any healthcare facilities that maintain a directory of patients can refer limited information to callers acquiring about a particular patient. The limited information that can be given includes if the patient is at their particular facility, their location within the facility, and general condition, such as "stable" or "critical".
The ultimate goal of releasing information during emergency situations to protect the public from further or future harm and to treat the patient as quickly as possible to prevent permanent trauma or even death. Keeping citizens informed on the dangers, such as those in the Ebola outbreak and the Hurricane Katrina disaster, will ensure that people can take the precautions necessary to be safe.
-Allison Stejskal, Business Development Executive