Health Information Compliance Alert

Published on Tue Sep 19, 2017 PDF

In a disaster, HHS sometimes lifts sanctions when HIPAA protocols just aren’t possible.

As the flood waters from Hurricane Harvey recede and the nation takes on the devastation of Hurricane Irma, providers are on the front line assisting patients. HHS and OCR offer HIPAA guidance in the chaos.

The storms: Hurricane and then Tropical Storm Harvey left Texas reeling from over 52 inches of rain and heavy winds, then moved on to destroy parts of the Louisiana Gulf Coast. The aftermath culminated in massive flooding, destroying homes, businesses, and infrastructure while displacing thousands of Texans and Louisianans in the process.

Within days of the government announcing areas of Texas and Louisiana were under states of Public Health Emergency (PHE) and dispersing federal assistance, the country had to contend with the onslaught of another natural disaster — Hurricane Irma. The Category 4 storm roared through the Caribbean and up the East Coast, ravaging everything in its path. At press time HHS Secretary Tom Price, MD, had already issued PHEs for Puerto Rico, the U.S. Virgin Islands, Florida, South Carolina, and Georgia. “Through these public health emergency declarations for Georgia and South Carolina, we are helping ensure that people in those states with Medicare, Medicaid and the Children’s Health Insurance Program (CHIP) can maintain access to care,” said Price on Sept. 8, 2017 after announcing the last two states’ PHE status. “HHS medical teams are prepared to support states and U.S. territories respond to Hurricane Irma.”

Take a Look at the 1135 Waiver Rules

A declaration of a PHE eases the privacy rules under HIPAA, but both the President of the United States and the HHS Secretary must weigh in before disclosures are allowed. Once the President declares an emergency or disaster under the Stafford Act or the National Emergencies Act and the HHS Secretary declares a PHEunder the Public Health Service Act, providers can then use those determinations to utilize the 1135 Waiver form.

Blanket waiver: CMS is able to waive certain documentation requirements to help ensure healthcare providers can deliver care to patients who have no health records, or even no proof of their Medicare status, the HHS release noted. Some “sanctions and penalties” are also waived by the HHS Secretary for covered entities (CEs) under a PHE determination. Here is a list of the HIPAA Privacy Rule specifics that are eligible for waiver in a PHE, according to the HHS Hurricane Irma fact sheet:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. (45 CFR 164.510[b])
• The requirement to honor a request to opt out of the facility directory. (45 CFR 164.510[a])
• The requirement to distribute a notice of privacy practices. (45 CFR 164.520)
• The patient’s right to request privacy restrictions. (45 CFR 164.522[a])
• The patient’s right to request confidential communications. (45 CFR 164.522[b])

Read the HHS fact sheet at: https://www.hhs.gov/sites/default/files/hurricane-irma-hipaa-bulletin.pdf.

Know Your State’s Requirements

“Federal laws and regulations permit, and many state laws require, the disclosure of patient information without a patient’s consent or authorization for certain public health activities,” pointed out attorney Laurie Cohen in a blog posting for the law firm Nixon Peabody LLP in Albany, New York.

According to the OCR guidance, the HIPAA Privacy Rule allows CEs to disclose necessary PHI without individual authorization:

• To a public health authority, such as the Centers forDisease Control and Prevention (CDC), or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability.
• At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
• To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the CE to notify such persons as necessary to prevent or control the spread of the disease, or otherwise to carry out public health interventions or investigations.

Important: It’s wise to remember that the 1135 Waiver is only good in the affected emergency zones, and for an allotted time period determined by the HHS Secretary in the PHE declaration, the fact sheet mentions. Covered entities, business associates, and volunteers are covered — at hospitals “that have instituted a disaster protocol… and for up to 72 hours” after its implementation. When the 72 hours are up, it’s business as usual and HIPAA must be followed, the advice suggested.

“Emergencies such as these are especially hard on the most vulnerable members of our community, and all of us are committed to doing whatever we can to lend a hand in this public health emergency,” said Roger Severino, OCR Director, in a release on Hurricane Harvey. “OCR is providing resources and ongoing technical assistance to help make sure people get the help they need from the emergency responders and management officials as they continue their tireless and heroic efforts to assist the people … in this critical situation.”

Reminder: It is essential that despite working through a natural disaster that CEs and their associates continue to safeguard patients’ privacy the best they can. Although HIPAA permits disclosures of PHI without patient authorization for public health activities and emergencies, you “cannot disregard a patient’s right toprivacy in those cases where a patient’s informationhas been the subject of a public health report,” Cohen warned.

Resources: To access the 1135 Waivers for Texas, Louisiana, Puerto Rico, the U.S. Virgin Islands, Florida, South Carolina, and Georgia on the Office of the Assistant Secretary for Preparedness and Response (ASPR), visit https://www.phe.gov/emergency/pages/default.aspx.

For more information about the 1135 Waiver policies, visit:

• Emergency-Related Policies & Procedures Implemented With A 1135 Waiver: www.cms.gov/About-CMS/Agency-Information/Emergency/Downloads/MedicareFFS-EmergencyQsAs­1135Waiver.pdf.
• Emergency-Related Policies & Procedures Implemented Without A 1135 Waiver: www.cms.gov/About-CMS/Agency-Information/Emergency/Downloads/Consolidated_Medicare_FFS_Emergency_QsAs.pdf.