HIPAA Disclosures in Emergency Situations
A quick review of the HIPAA Privacy Rule can help to guide healthcare entities on the proper way to share information in emergency situations.
By Jillian Harrington, EdD, MHA, CPC, CPC-P, CPC-I, CEMC, CCS, CCS-P, AAPC Fellow
Following several situations that have recently occurred, such as the mass shooting in Las Vegas, the weather related disasters in Florida and Texas, and the forest fire devastation in the West, there are times when friends, family, or someone else is involved in a patient’s care and is looking for information. This can result in a difficult situation for a healthcare organization trying to maintain compliance with HIPAA regulations, but also trying to provide good service to this patient and meet the needs of their family.
When is It OK to Share PHI with Family?
A healthcare organization is able to share certain protected health information (PHI) with family members, friends, and other people who the patient has identified as involved in their care (45 CFR 164.510(b)). The organization should first obtain permission verbally to share this information, unless it can be reasonably inferred that the patient does not object to the sharing of the information. Often in an emergency situation the patient may be incapacitated, rendering them unable to identify which family or friends should be given information. In these cases, providers can share information if they feel it is in the best interest of that patient. They should use their professional judgement to determine the appropriateness of the situation.
When is It OK to Share PHI with Other Entities?
There are also times when disaster relief organizations are seeking information regarding patients in order to coordinate efforts in locating family and organizing other efforts with regard to a mass casualty or a disaster situation. HIPAA does allow for healthcare organizations to provide PHI to these groups for the purposes of these efforts. As is the case with any of these release of information situations, only the minimum necessary amount of information needed should be released. Healthcare organizations must be good stewards of their patients’ information, and limiting release of information to the minimum amount necessary helps to demonstrate good faith.
When is It OK to Share PHI with the Media?
One last important area of information release is to media outlets. With a situation such as a mass casualty incident or a natural disaster, healthcare organizations are going to be swarmed with media requested for information, as well. Knowing what can and cannot be released in these situations is crucial.
If a patient has not restricted their information from the patient directory, and a specific request comes in for a patient, a healthcare facility can release limited information about that patient, such as their general condition and whether they are deceased, or were released. With an incapacitated patient, there are also caveats in the rule regarding the ability of the facility to use their best judgment to release this limited directory information (45 CFR 164.510(a)). For any additional detailed information to be provided to the media or general public about a patient’s status, such as diagnosis, surgery performed, ancillary testing, medications provided, or any other level of detail outside of directory information, a signed authorization would have to be provided by the patient or their authorized representative (45 CFR 164.508).
Look to OCR for Guidance
The U.S. Department of Health and Human Service Office of Civil Rights (OCR) will occasionally step in and offer some waivers and modifications to certain aspects of regulations during times of crisis. It is important to pay close attention to the information being provided through the OCR website to understand what can be shared and what cannot, so that we can do our best to protect patient information, even in times of crisis.
Jillian Harrington, EdD, MHA, CPC, CPC-P, CPC-I, CEMC, CCS, CCS-P, AAPC Fellow, is an Assistant Professor of Health Service Administration in the School of Nursing and Health Science at Robert Morris University. Prior to joining RMU, she served as a consultant educator for HCPro, a division of BLR, as well as a chief compliance officer/privacy officer for a large academic medical center. She also teaches CPT and ICD-10 coding, and is an AAPC Approved Instructor.