Health Information Compliance Alert

Published on Thu Oct 06, 2022 PDF

Remember, HIPAA applies to volunteers, too.

When a natural disaster strikes, the last thing on your employees’ minds is whether they’ve followed HIPAA correctly. And that’s why certain regulations allow for relaxation of the Rules during emergencies.

Now: The Department of Health and Human Services (HHS) has declared three hurricane-related public health emergencies (PHEs), which offer regulatory relief for providers — including specific HIPAA-related flexibilities.

At press time, HHS Secretary Xavier Becerra had already declared three separate PHEs for hurricanes that hit the U.S. in recent weeks. First, on Sept. 20, he declared a Hurricane Fiona PHE for Puerto Rico backdated to Sept. 17. Next, on Sept. 26, Becerra declared Hurricane Ian a PHE for Florida dated back to Sept. 23 and followed that up with another declaration for South Carolina on Sept. 30, backdated to Sept. 25. See the PHE declarations at https://aspr.hhs.gov/legal/PHE/Pages/default.aspx.

Reminder: The HHS Secretary may waive some sanctions and penalties for covered entities (CEs) and business associates (BAs) under a PHE determination, but healthcare providers and their partners are still tasked with safeguarding patients’ protected health information (PHI).

Test your knowledge on these 10 questions to see if you know the HIPAA essentials.

1. What are the three groups CEs can share PHI with in reference to public health activities during a PHE?

A. public health authorities

B. foreign governments at the direction of a public health authority or working in tandem with the authority

C. people at risk of contracting or spreading disease

D. all of the above

2. Give an example of a public health authority that a CE can share patients’ PHI with during a PHE — without prior authorization.

A. the Centers for Disease Control and Prevention (CDC)

B. a healthcare lawyer

C. a neighbor

D. all of the above

3. True or false: No matter the type of disaster or PHE, a CE is never relieved of distributing a notice of privacy practices.

A. true

B. false

4. What is the Code of Federal Regulation associated with the distribution of notices of privacy practices?

A. 45 CFR 164.520

B. 45 CFR 164.522(a)

C. 45 CFR 164.510(b)

D. 45 CFR §§ 164.502(a)(1)(ii)

5. What should a CE utilize before determining that it’s acceptable to share patients’ PHI with friends or family?

A. another doctor’s opinion

B. ICD-10-CM codes

C. professional judgment

D. enforcement agencies

6. What does this define under the HIPAA Privacy Rule: “The provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another?”

A. payment

B. treatment

C. designated record set

D. coding

7. True or false: A CE must continue to make every effort to safeguard PHI during a PHE, disclosing only the minimum information necessary to care and treat patients.

A. true

B. false

8. Under what regulations are the waivers associated with HIPAA sanctions and penalties addressed?

A. The Affordable Care Act, section 5, and the CCPA

B. The CARES Act, part 1, and the Consolidated Appropriations Act, 2022

C. The Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act

D. all of the above

9. What is an example of an incident or emergency that would precipitate a PHE declaration?

A. natural disaster

B. mass shooting

C. health crisis, epidemic, or pandemic

D. all of the above

10. Are disclosures to the media about a patient’s PHI allowed during a PHE?

A. yes, the media is a public health authority

B. no, under no circumstances because that’s a HIPAA violation

C. Yes, but only if the patient doesn’t object to the request for information, is incapacitated, the disclosure is in the best interest of the public and was previously OK’d with the patient’s written authorization

D. none of the above

Answers: 1) D 2) A 3) B 4) A 5) C 6) B 7) A 8) C 9) D 10) C