HIPAA Regulatory Alert: HHS says HIPAA rules allow Katrina information-sharing
HIPAA Regulatory Alert
HHS says HIPAA rules allow Katrina information-sharing
Criteria include imminent danger to patients or the public
Within days of Hurricane Katrina lashing the Gulf Coast states, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) reminded providers through mailed notices and news media announcements that the privacy rule allows patient information to be shared to assist in disaster relief efforts and in providing patients the care they need.
The department said providers and health plans covered by HIPAA's privacy rule can share patient information in these ways:
• Treatment. Health care providers can share patient information as necessary to provide treatment, including sharing information with other providers such as hospitals and clinics; referring patients for treatment, including linking patients with available providers in areas where patients have relocated; and coordinating patient care with others, such as emergency relief workers or others who can help find patients appropriate services.
• Notification. Health care providers can share patient information as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for an individual's care. HHS said providers should get verbal permission from individuals when possible but may share information about people who are incapacitated or not available if it is their judgment that sharing information is in the patient's best interest. When necessary, a hospital may notify the police, news media, or public at large to the extent necessary to help locate, identify, or otherwise notify family members and others of the location and general condition of their loved ones. In addition, when a health care provider is sharing information with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, it isn't necessary to obtain a patient's permission to share the information if doing so would interfere with the organization's ability to respond to the emergency.
• Imminent Danger. Providers can share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public, consistent with applicable law and the provider's standards of ethical conduct.
• Facility Directory. Health care facilities maintaining a directory of patients can tell people who call or ask about individuals whether the individual is at the facility, the person's location in the facility, and general condition.
HHS also announced a Section 1135 waiver that covered, among other things, sanctions and penalties arising from non-compliance with three provisions of the HIPAA privacy regulations — (1) the requirement to obtain a patient's agreement to speak with family members or friends or to honor a patient's request to opt out of a facility directory; (2) the requirement to distribute a notice of privacy practices; and (3) a patient's right to request privacy restrictions or confidential communications.
In a later bulletin, the department expanded on its privacy rule compliance guidance for activities in response to Katrina and also explained how it would apply enforcement discretion.
That bulletin said that in addition to permissible disclosures by covered entities, business associates that are managing such information on behalf of covered entities may make disclosures to the extent permitted by their business associate agreements with the covered entities, as provided in the privacy rule. Thus, a business associate agreement may broadly permit the business associate to make disclosures the covered entity is permitted to make, or may otherwise permit the business associate to make treatment or other disclosures as permitted by the privacy rule. If a business associate agreement does not permit such disclosures, the covered entity and business associate can amend the agreement to permit them.
Similarly if a business associate uses an agent to assist in performing its business associate functions, the business associate must ensure that the agent agrees to the privacy restrictions and conditions that apply to the business associate. The agreement between a business associate and its agent may also broadly permit the agent to make disclosures the covered entity is permitted to make or may otherwise permit the agent to make treatment or other disclosures permitted by the privacy rule.
Enforcement discretion being used
The department says the law provides that HHS may not impose a civil money penalty if failure to comply is based on reasonable cause and is not due to willful neglect, and the failure to comply is cured within a 30-day period. The department has the authority to extend the period within which a covered entity may cure the noncompliance.
"We advise that in determining whether reasonable cause exists for a covered entity's failure to meet the business associate requirements and in determining whether and to what extent the period within which noncompliance must be cured, OCR will consider the emergency circumstances arising from Hurricane Katrina, along with good faith efforts by covered entities, their business associates and their agents, both to protect the privacy of health information and to appropriately execute the agreements required by the privacy rule as soon as practicable," according to HHS.
OCR also said it would not take enforcement action or seek civil money penalties in response to any complaints received involving use or disclosure of protected health information in the flood area if the release would have been permissible with a business associate agreement. It said if covered entities, business associates, or agents were unable to formalize agreements in time to meet evacuees' immediate needs but executed the agreements as soon as possible, there would be no enforcement action.
In another action with ramifications for HIPAA, the federal government used prescription drug records provided by retail pharmacies to establish a database of Hurricane Katrina evacuees in eight shelters. The initial database included prescription information for more than 800,000 individuals located in 150 ZIP codes affected by the hurricane. Federal officials said they hoped to add electronic health records from pharmacy benefit managers, laboratories, Department of Veterans Affairs health facilities, and the Louisiana and Mississippi Medicaid programs.
This reportedly is the first time the federal government has used private health records from retailers to compile an electronic database. Although patient consent is not required when health records are shared for medical purposes, companies and organizations that possess such records must reach formal agreements before they can share the information with each other. But federal officials said they would not enforce the formal agreement requirement in this instance provided the companies and organizations reach verbal agreements to use the health records to help hurricane evacuees.
Within days of Hurricane Katrina lashing the Gulf Coast states, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) reminded providers through mailed notices and news media announcements that the privacy rule allows patient information to be shared to assist in disaster relief efforts and in providing patients the care they need.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.