HIPAA plays a critical role in every medical practice across the United States. Policy and procedure manuals, privacy officers and constant HIPAA compliance trainings help to keep employees aware of their obligations to keep the patients PHI (protected health information) safe and secure. For the most part, remaining HIPAA compliant is not entirely difficult throughout the day-to-day operations of the practice. However, when medical emergencies arise, dealing with HIPAA can be challenge. The same obligations to abide by HIPAA apply, but a high-stress, time sensitive environment add even more pressure to the medical professional. This blog post will explore how healthcare facilities and medical professionals can effectively deal with HIPAA during these stressful, emergency, medical situations.

The Privacy Rule of HIPAA protects individually identifiable health information (PHI) from uses and disclosures that unnecessarily compromise the privacy of an individual. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur. The Privacy Rule has been designed to allow specific disclosures to occur, without impeding the efforts of a healthcare professional. Thus by being aware of what disclosures are authorized and what provisions of HIPAA apply during an emergency medical situation, medical professionals can more efficiently and effectively do their job, without fear of costly violations. When providers do not understand how HIPAA applies to a specific medical situation, it is typical to err on the side of caution, potentially compromising a provider’s ability to do their job to the best of their ability.

This blog post will discuss 5 emergency medical situations that one may encounter as a healthcare provider in addition to how HIPAA applies.

  • Emergency Disclosures – During the initial treatment of a patient, a healthcare entity determines a PHI disclosure is necessary to treat the patient.
    • The Privacy Rule states that “covered entities may reveal PHI if it is deemed necessary to treat the patient, even without the patient’s authorization.”
    • This also means that if medical professionals determine that releasing PHI to a public health authority, like the CDC (Center for Disease Control) or a local or state health department, is necessary to treat the patient, they are authorized to do so.
  • Media Disclosures – A victim of a sensationalized criminal act comes to your healthcare facility. Someone from the press calls to inquire about the condition of the patient
    • If the member of the press specifically requests the patient by name, general health information and location can be disclosed, unless of course the patient has requested their information not be released. If the medical professional is unable to locate the patients next of kin, and believe it to be in the best interest of the patient, they may release information to the press to locate these individuals.
  • Family Disclosures – The family member of an incapacitated patient asks the healthcare professional not to inform the patient, until the family feels they are ready, of a serious diagnosis (cancer, terminal illness, etc.).
    • If the patient specifically requests their PHI, the privacy rule dictates that it cannot be denied from them. If such a request has not been made, the medical professional is able to use their judgment to determine what is in the best interest of the patient.
  • Emergency Declaration by Federal Officials – the President declares a disaster or emergency and the Secretary of Health and Human Services (HHS) declares a public health emergency
    • These circumstances combined result in a unique period, of up to 72 hours, when HIPAA violation penalties against a hospital may be waived for breaking the following parts of the Privacy Rule
      • Requirement to obtain patient consent to speak with family or caregivers.
      • Requirement to obey a patient’s request to opt out of a facility directory.
      • Requirement to supply a notice of privacy practices upon request
      • A patient’s right to request privacy restrictions.
      • A patient’s right to ask for confidential communication.
    • Law Enforcement Disclosures – The healthcare facility successfully resuscitates an unresponsive patient that was brought in by the police. Afterwards, the police ask about the patient’s condition
      • PHI can be disclosed to law enforcement under specific conditions. If the patient is incapacitated and is reasonably believed to be the victim of a crime, a healthcare provider can make disclosures if law enforcement shows that: 1) the PHI will not be used against the patient, 2) Prompt law enforcement action is dependent on the disclosure, 3) the disclosure is necessary for the police to make a determination is someone else broke the law, and 4) law enforcement activity would be negatively affected by waiting until the patient is alert and responsive to agree to the disclosure. As always, a medical professional judgment should always be in the best interest of the patient.

In conclusion, when an emergency medical situation arises, covered healthcare entities must continue to use reasonable safeguards to protect PHI. Additionally, it is critical to remember that all decisions must be rendered with the patient’s best interests in mind. When an emergency situation occurs the rules become confusing as numerous exceptions begin to arise. Fortunately, HIPAA has provided guidance as to what is acceptable. We hope this blog post has helped your organization feel more confident to effectively render care, in emergency situations.