Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do HIPAA compliance requirements change during health crises?

Outbreaks of Ebola caused widespread fear, but should enterprises be worried about the effect on HIPAA compliance requirements? Compliance expert Mike Chapple explains.

The U.S. Department of Health and Human Services (HHS) released a bulletin addressing the effects of the Ebola...

outbreak -- and other future medical emergencies -- on HIPAA compliance. Can you explain what the bulletin covers and if HIPAA-regulated organizations need to change any practices in particular?

The Ebola outbreak raised questions among healthcare providers about their responsibilities surrounding the sharing and safeguarding of patient information. During any health crisis, public health officials must share information to help mitigate the emergency, but all of this sharing must take place within the constraints of HIPAA. One line in the report sums up the situation well: "the protections of the Privacy Rule are not set aside during an emergency."

HIPAA compliance requirements allows the sharing of personal health information when it's required for treating patients or public health purposes. HIPAA grants broad authority to share information among healthcare providers when it's necessary to treat a patient -- either the patient who is the subject of the records or another patient. Providers may also disclose information to public health authorities at the federal, state or local level when needed for the purpose of preventing or controlling disease, injury or disability.

Healthcare providers may also share patient information with a patient's family, friends or others involved in their care. If the patient is capable of communication, providers should first get verbal permission from the patient or, at the very least, be able to reasonably infer that the patient does not object. If the patient is not able to communicate, they may share information if they feel it is in the patient's best interest.

HIPAA places much stricter restrictions on disclosures to the media or others not directly involved in the patient's care. Generally speaking, a provider may only acknowledge that an individual is a patient and a general description of his or her condition -- e.g. critical or stable, current patient, treated and released or deceased. Any other disclosures that involve personally identifiable information, such as test results or diagnoses require the written authorization of the patient or his representative.

The bottom line is in most cases, all provisions of HIPAA compliance continue to apply during a public health emergency. The Secretary of Health and Human Services may issue very limited waivers of HIPAA notification and consent requirements during a presidentially declared disaster, but those cases are few and far between.

Next Steps

Check out this training, audit and requirement checklist for HIPAA compliance

More companies benefitting from private health insurance exchanges

Ensuring personal cloud storage meets HIPAA compliance requirements

This was last published in April 2015

Dig Deeper on HIPAA

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

I guess that if disclosures to the media are governed so strictly, how is it that everyone in the world new the names of the first few Ebola cases in the U.S. ? It's good that we did know, though. When we're talking about highly contagious viruses like Ebola, the public should have the right to know.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close