The U.S. Department of Health and Human Services (HHS) released a bulletin addressing the effects of the Ebola...
outbreak -- and other future medical emergencies -- on HIPAA compliance. Can you explain what the bulletin covers and if HIPAA-regulated organizations need to change any practices in particular?
The Ebola outbreak raised questions among healthcare providers about their responsibilities surrounding the sharing and safeguarding of patient information. During any health crisis, public health officials must share information to help mitigate the emergency, but all of this sharing must take place within the constraints of HIPAA. One line in the report sums up the situation well: "the protections of the Privacy Rule are not set aside during an emergency."
HIPAA compliance requirements allows the sharing of personal health information when it's required for treating patients or public health purposes. HIPAA grants broad authority to share information among healthcare providers when it's necessary to treat a patient -- either the patient who is the subject of the records or another patient. Providers may also disclose information to public health authorities at the federal, state or local level when needed for the purpose of preventing or controlling disease, injury or disability.
Healthcare providers may also share patient information with a patient's family, friends or others involved in their care. If the patient is capable of communication, providers should first get verbal permission from the patient or, at the very least, be able to reasonably infer that the patient does not object. If the patient is not able to communicate, they may share information if they feel it is in the patient's best interest.
HIPAA places much stricter restrictions on disclosures to the media or others not directly involved in the patient's care. Generally speaking, a provider may only acknowledge that an individual is a patient and a general description of his or her condition -- e.g. critical or stable, current patient, treated and released or deceased. Any other disclosures that involve personally identifiable information, such as test results or diagnoses require the written authorization of the patient or his representative.
The bottom line is in most cases, all provisions of HIPAA compliance continue to apply during a public health emergency. The Secretary of Health and Human Services may issue very limited waivers of HIPAA notification and consent requirements during a presidentially declared disaster, but those cases are few and far between.
Check out this training, audit and requirement checklist for HIPAA compliance
More companies benefitting from private health insurance exchanges
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.