Ebola and HIPAA: how to comply

HHS publishes new guidance for emergency situations
By Erin McCann
November 10, 2014
11:08 AM
In emergency situations like the Ebola crisis that reached American soil this fall, do covered entities need to comply with the HIPAA Privacy Rule? New guidance put out by the Department of Health and Human Services sheds light on how exactly organizations are expected to adhere. 
 
Be sure of one thing: The privacy rule still applies, but HHS has outlined several exceptions related to public health emergencies that allow in some cases a little more flexibility around information sharing.  
 
 
The Office for Civil Rights, the HHS division responsible for enforcing HIPAA, offered its guidance Monday for covered entities and business associates who may find themselves in public health emergency situations. 
 
Calling the privacy rule "balanced," OCR officials pointed out that "the protections of the privacy rule are not set aside during an emergency," but that its purpose was also to "ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation's public health and for other critical purposes."
 
Among the big takeaways? Public health safety and personal safety trumps medical privacy when it comes to cases of immediate danger, OCR guidance said. "Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat."
 
 
OCR also pointed out that HHS may waive certain HIPAA privacy rule provisions, both sanctions and penalties, for the covered hospital. These waivers would take effect if first the President were to declare an emergency and HHS Secretary Sylvia Mathews Burwell subsequently declared a public health emergency. 
 
The following waivers include: 
 
  • Requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care;
  • requirement to honor a request to opt out of the facility directory; 
  • requirement to distribute a notice of privacy practices; 
  • the patient's right to request privacy restrictions; 
  • the patient's right to request confidential communications. 
Under the privacy rule, covered entities and business associates may share protected health information without a patient's consent in certain instances, including to public health authorities, such like the Centers for Disease Control and Prevention; to a foreign government agency at the request of a public health authority; and to people considered at risk of contracting the related health condition or disease. 
 
Covered entities may also share a patient's protected health information without prior consent "as necessary to treat the patient or to treat a different patient," OCR said.
Topics: 
Electronic Health Records (EHR, EMR)

More regional news

A doctor in scrubs reviewing a patient's record on a digital tablet

$14M more for EMR implementation in Victoria and more briefs

By
Adam Ang
November 24, 2024
Clinician in scrubs at a hospital computer

CommonSpirit partners up with U of U for clinical collaboration

By
Andrea Fox
November 22, 2024
Stethoscope on an iPad

HIMSSCast: Care provider or tool? When and why patients like AI

By
Andrea Fox
November 22, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story
EHR tips on migrating an all-digital hospital to Epic

Most Read

VA must strengthen controls addressing EHR performance
Visible, active leadership is vital to change management, says Epic emeritus CIO advisor
GPs cry My Health Record 'overhaul' and more briefs
CIOs must understand change management theories, frameworks and practices
India-specific big cancer database goes live
Epic calls on Carequality to release Particle dispute resolution

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

David Miles at Oklahoma Heart Hospital_Part 2_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
Switching from Cerner to Epic? Meet a CIO who made it out alive
David Miles at Oklahoma Heart Hospital_Part 1_Doctor holding health icon Photo by Tippapatt/iStock/Getty Images Plus
The CIO of an all-digital hospital walks readers through its successes
Dr Alice Sutedjo Lisa at SMC Telogorejo Hospital_HIMSS24 APAC
Assisting the elderly in digital care
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive

More Stories

Dr. Mehmet Oz
Trump picks Dr. Mehmet Oz to head CMS
Agency cybersecurity infosec illustrated by many colored streams harnessed by a lock
OIG again deems HHS' infosec program ineffective
Joanna Lucas, RN, of St. Luke's University Health Network
Case and referral management technology gets big results for St. Luke's
Dr. Benoit Desjardins of the University of Montreal
Cyberattacks are becoming more widespread, and more disruptive
Northwestern Medicine
Northwestern Medicine announces international healthcare collaboration
BJ Schaknowski of symplr
Too many IT systems with limited alignment impacts care quality
Doctor in scrubs using computer
Tenet to deploy AI platform across its physician network
Healthcare CIO with other healthcare executives
Health system CIOs' strategic responsibilities continue to evolve