Exceptions to HIPAA Privacy Requirements Improves Patient Care During Crises

Ever since its advent, critics of the HIPAA regulations have been crying about the unnecessary regulatory burden to anyone who will listen. A common complaint is that HIPAA, a subtitle of the HITECH Act, was partly intended to improve access to critical health data, but instead hamstrings medical providers’ ability to respond to unusual circumstances. This issue has once again floated to the surface of public discourse after Hurricane Harvey and the 2017 Las Vegas Shooting, in which thousands of victims sought emergency health care during chaotic crises.

 

Historically, misreporting and misinformation about privacy laws during mass casualty events have added confusion to the chaos as providers grapple with whether or not to release information to relatives of patients and the press. However, the HHS has the power to waive sanctions and penalties for providers that violate certain provisions during a health crisis or national emergency, giving providers the flexibility they need to take action.

 

In this article, we’ll set the the record straight about the specific circumstances and events in which HIPAA Privacy requirements can be waived or where exceptions exist. As a provider, the ability to act quickly and confidently in these situations can allow you to give better care to your community in times of need.

 

National Emergencies:  National emergencies grip the nation’s attention as family members and the public alike search for information about those in harm’s way. For a privacy waiver to go into effect in this circumstance, two things must happen. The President must declare an emergency or disaster and the HHS Secretary must declare a public health emergency. Interestingly enough, this isn’t technically a waiver of HIPAA, but actually a waiver of any possible sanctions that would result from violating certain sections of the Privacy Rule.

 

But don’t consider it a free pass for lawlessness. The only sections for which sanctions are waived during a national emergency are as follows:

 

  1. The requirements to obtain a patient’s agreement to speak with family members or friends involved in a patient’s care (45 CFR 164.510(b))

  2. The requirement to honor a request to opt out of a facility directory (45 CFR 164.510(a))

  3. The requirement to distribute a notice of privacy practices (45 CFR 164.520)

  4. The patient’s right to request privacy restrictions (45 CFR 164.522(a))

  5. The patient’s right to request confidential communications (45 CFR 164.522(b))

The fact that the President must declare a disaster and the HHS Secretary must declare a public health emergency is an important aspect to note. The President rarely declares a disaster for man-made occurrences. That means that, despite the fact that the HHS Secretary may want to provide a waiver in a situation like the Las Vegas shooting, in most cases, they are unable to. But even though HIPAA penalties aren’t waived, providers still have recourse within the normal boundaries of the law. The Privacy Rule states that in the case of a “severe disaster”, covered entities are allowed to locate and notify family members and guardians of patients’ location and status. 

 

The Opioid Crisis: In mid-October, President Trump declared the opioid addiction crisis a national public health emergency. In accordance with the President’s announcement, the OCR released a new HIPAA guidance for the opioid crisis which gives providers leeway in informing family members about the opiate use of incapacitated patients. If a patient is incapacitated, doctors are allowed to give more information about an opioid overdose than strictly necessary for the course of treatment. The individuals allowed to receive this information is limited to family members and other people that could prevent or lessen a threat to the patient’s safety. However, if the patient does have decision making capacity the provider must give the patient the opportunity to decide whether or not they want this information disclosed to others.

 

Between Medical Providers: Let me be clear, providers ARE allowed to communicate with each other under no uncertain terms. There is a great deal of confusion around this provision and providers often steer on the side of safety and limit the amount of information they share. However, The Privacy Rule does not put any limit on the amount or type of PHI that providers are allowed to share between themselves, as long as the sharing is for treatment, payment, or clinical operations. The communications do not have to remain within the same organization and can occur between providers at different covered entities in writing, by phone, fax, e-mail, or otherwise, as long as proper security protocols have been observed.

 

Academic Studies: Under the Privacy Rule, academic Institutional Review Boards (IRBs) may waive Authorization Requirements for scientific studies that meet specific criteria. The Authorization requirements state that a covered entity may not use or disclose PHI without the explicit consent of the subject of that PHI. But, this is far from a blank check for mad science. Waivers for academic studies are only approved for studies in which it is a financial or logistical impediment to obtain authorization. For example, when a research data set containing PHI is missing contact information, it would be difficult or impossible for the researchers to obtain consent from those individuals. Additionally, the criteria dictates that a waiver may only be used for studies if they pose minimal risk to the privacy of the individuals involved and the research absolutely cannot be completed without the waiver.

 

Public Health Disclosures: The Privacy Rule allows covered entities to disclose PHI, without authorization, to public health authorities. This means that any information that a provider reports to an authorized public health authority can be disclosed without patient authorization or a specific waiver. Some examples of things that could be disclosed are: the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions.

 

Additionally, there are a few other public health instances in which PHI can be disclosed without authorization to entities other than public health authorities which include:

 

  • Child abuse or neglect.

    • A Covered Entity may report to social services or law enforcement.

  • Quality, safety or effectiveness of a product or activity regulated by the FDA

    • May be reported to any entity involved with the product as long as that entity is under the jurisdiction of the FDA.

  • Workplace Medical Surveillance

    • May be reported to an employer in fields that are required to do medical surveillance by law, such as natural resource mining

  • A contagious disease exposure

    • May be reported swiftly to those people at risk if the covered entity is legally authorized to do so in order to prevent the spread of disease.

Don’t believe the hype from HIPAA haters that HIPAA is severely limiting provider response. Lawmakers have taken the time to address multiple situations in which exceptions to the Privacy Rule. If there’s any confusion about what you’re allowed to do in normal circumstances, here is the HHS list of allowable disclosures. Maintaining a thorough knowledge of these circumstances is essential if you want your organization to stay agile while remaining in compliance with the law.