Patient privacy still applies no matter how busy your ED is. If patient information is being shared or accessed, HIPAA is involved. And just because patients move in and out of emergency departments quickly, doesn’t mean you don’t have time to adhere to your ED’s privacy policy. Take a look at these strategies to ensure HIPAA compliance in your emergency department. Institute HIPAA Protocols for the ED Just Like Anywhere Else In emergency situations, your priority is to ensure that a patient is safe and healthy. Meanwhile, however, you must take measures to protect each patient’s private health information, even if the ED becomes chaotic or crowded. “The protections of the Privacy Rule are not set aside during an emergency,” the HHS Office for Civil Rights (OCR) said in its 2014 Bulletin, HIPAA Privacy in Emergency Situations. This means you must train your staff members on the HIPAA privacy rules and adhere to them, ensuring that your patients’ protected health information (PHI) stays secure. The OCR Bulletin does include several examples of situations when you may use and disclose PHI “to treat a patient, to protect the nation’s public health, and for other critical purposes.” For example: The OCR says you can disclose PHI about a patient without authorization if it’s required to treat that patient or another one. “Treatment includes the coordination or management of healthcare and related services by one or more healthcare providers and others, consultation between providers, and the referral of patients for treatment,” the document says. Remember, Not Everything Is Considered a Violation The OCR also makes HIPAA exceptions in other situations. For instance, the Bulletin notes, “Healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public — consistent with applicable law.” Here’s why: “The ‘serious and imminent threat’ exception to HIPAA is based on the Tarasoff case from many years ago in California, in which a psychologist failed to warn a patient’s spouse that he was planning to kill her — the intent to do so had been disclosed by the patient in a counseling session,” says healthcare attorney Kevin West, Esq., with Parsons Behle & Latimer in Boise, Idaho. Because of the Tarasoff case, the HIPAA rules follow the concept that protecting people from a real and serious threat can override patient privacy, West said. “The sharing of such information is generally to law enforcement, though it could be made to others depending on the situation. In the emergency setting I can see this happening if the patient is impaired by drugs or alcohol and plans to operate a motor vehicle after departing the ED. In that situation, the ED could notify police authorities. The same is true regarding an agitated patient who expresses a specific intent to harm someone.” Scenario: Keep in mind, however, that protecting your patients doesn’t always have to involve the disclosure of PHI. For instance, if a patient known to that ED with schizophrenia comes into the waiting room with a knife and the ED nurse yells, “He has a knife!” she is protecting the other patients but not revealing the patient’s name or the diagnosis that she is aware the patient has. Likewise, if you had a patient in the waiting area who was discovered to have a communicable disease, it would not be a HIPAA violation to tell the other patients there that they had been exposed to the virus unless you said who the infected person was, Westsays. Make Reasonable Efforts to Limit What You Reveal The OCR Bulletin states, “For most disclosures, a covered entity must make reasonable efforts to limit the information disclosed to that which is the ‘minimum necessary’ to accomplish the purpose.” But if you don’t understand what the government means by “minimum necessary,” you may not be prepared to adhere to this regulation. “The ‘minimum necessary rule’ embodies the general notion that when sharing PHI, healthcare providers should only share the minimum amount needed for the particular situation,” West says. “This is often a case-by-case judgment call and thus it is not possible to give black and white rules that apply to every situation.” Consider this: Suppose, for example, that your ED treated a patient impaired by drugs or alcohol who said he planned to drive home after being treated. “The ED doctor could call the police and share that the patient was under the influence and planned to drive home, but it would not be appropriate to share everything else that might be in the patient’s chart that is not germane to the threat posed by the patient,” West says. “This is an example of the minimum necessary concept in play.” Resource: To review the ORC document “HIPAA Privacy in Emergency Situations,” visit https://www.hhs.gov/sites/default/files/emergencysituations.pdf.