Practice Management Alert

Compliance:

You Could Suspend Some HIPAA Privacy Provisions in Emergency

Published on Thu Jul 05, 2018

Don’t count on a suspension, but know your leeway when these particular circumstances apply.

The only situation in which the Health Information Portability and Accountability Act (HIPAA) privacy rule provisions could be suspended are if the President of the United States declares a state of disaster and the Secretary of Health and Human Services (HHS) declares a public health emergency.

In that situation, the HHS Secretary has the ability to waive “sanctions and penalties against a covered hospital” for particular provisions of HIPAA, according to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) website.

According to the OCR, the particular provisions include:

“the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b))
“the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
“the requirement to distribute a notice of privacy practices (45 CFR 164.520)
“the patient's right to request privacy restrictions (45 CFR 164.522(a))
“the patient's right to request confidential communications (45 CFR 164.522(b)).”

In the event that HHS secretary issues such a waiver, it only applies within particular parameters, says the OCR website — think emergency treatment during and immediately following the disaster:

“In the emergency area and for the emergency period identified in the public health emergency declaration.
“To hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.
“For up to 72 hours from the time the hospital implements its disaster protocol.”

Note: “When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol,” says the OCR website.

“Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location,” says the OCR website.

Bottom line: Focus on treating patients, first and foremost. Stay aware of the emergency or public health status and your legal responsibilities, but put patients and safety first.

Practice Management Alert

Technology Today:
Don't Be Tempted by Virtual Assistants
Hint: If your helper can’t sign a BAA, you’re risking HIPAA violations. Personal virtual assistant [...]

Disaster Preparedness:
Don't Let a Hurricane Storm Your Practice
A comprehensive disaster plan could be the difference in your business surviving or going under [...]

Clip and Save:
Keep These General Disaster Prep Tips in Mind
Don’t fall prey to incomplete preparations — use these general tips to ensure a faster [...]

Compliance:
You Could Suspend Some HIPAA Privacy Provisions in Emergency
Don’t count on a suspension, but know your leeway when these particular circumstances apply. The [...]

Reader Question:
Meet Particular Circumstances for Leave Tax Credit
Question: What is “family and medical leave” for purposes of the paid family and medical [...]

Reader Question:
Outsourcing CSP? HIPAA Still Applies
Question: Our company uses a small cloud services provider (CSP) based in Canada. Does the [...]

Reader Question:
Check in on MIPS Status
Question: My practice is making the transition to Merit-Based Incentive Payment System (MIPS), but I [...]

Reader Question:
Use These Tips to Boost Patient Satisfaction
Question: One of the physicians in our office is great about medicine but kind of [...]

View All