Patient Care During A Crisis
Historically, misreporting and misinformation about privacy laws during mass casualty events have added confusion to the chaos as providers grapple with whether or not to release information to relatives of patients and the press.
However, the HHS has the power to waive sanctions and penalties for providers that violate certain provisions during a health crisis or national emergency, giving providers the flexibility they need to take action.
As a provider, the ability to act quickly and confidently in these situations can allow you to give better care to your community in times of need.
National emergencies grip the nation’s attention as family members and the public alike search for information about those in harm’s way.
For a privacy waiver to go into effect in this circumstance, two things must happen.
- The President must declare an emergency or disaster;
- The HHS Secretary must declare a public health emergency.
Interestingly enough, this isn’t technically a waiver of HIPAA, but actually a waiver of any possible sanctions that would result from violating certain sections of the Privacy Rule.
But don’t consider it a free pass for lawlessness.
The only sections for which sanctions are waived during a national emergency are as follows:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in a patient’s care (45 CFR 164.510(b))
- The requirement to honor a request to opt out of a facility directory (45 CFR 164.510(a))
- The requirement to distribute a notice of privacy practices (45 CFR 164.520)
- The patient’s right to request privacy restrictions (45 CFR 164.522(a))
- The patient’s right to request confidential communications (45 CFR 164.522(b))
The fact that the President must declare a disaster and the HHS Secretary must declare a public health emergency is an important aspect to note. The President rarely declares a disaster for man-made occurrences.
Therefore, despite the fact that the HHS Secretary may want to provide a waiver in a situation like the Las Vegas shooting, they are unable to.
Even though HIPAA penalties aren’t waived, providers still have recourse within the normal boundaries of the law. The Privacy Rule states that in the case of a “severe disaster”, covered entities are allowed to locate and notify family members and guardians of patients’ location and status.
Regular Patient Care
- the reporting of a disease or injury;
- reporting vital events, such as births or deaths;
- conducting public health surveillance, investigations, or interventions.
- Child abuse or neglect
- A Covered Entity may report to social services or law enforcement.
- Quality, safety or effectiveness of a product or activity regulated by the FDA
- May be reported to any entity involved with the product as long as that entity is under the jurisdiction of the FDA.
- Workplace Medical Surveillance
- May be reported to an employer in fields that are required to do medical surveillance by law, such as natural resource mining
- Contagious disease exposure
- May be reported swiftly to those people at risk if the covered entity is legally authorized to do so in order to prevent the spread of disease.
Don’t believe the HIPAA haters when they say that HIPAA is severely limiting provider response.
Lawmakers have taken the time to address multiple situations in which exceptions to the Privacy Rule are acceptable. Maintaining a thorough knowledge of these circumstances is essential if you want your organization to stay agile while remaining in compliance with the law.
If you still have questions about staying compliant in normal (or abnormal) circumstances, give Gazelle Consulting a call at (503)-389-5666! We are here to answer all of your compliance questions.