Protecting resident’s medical information is part of mitigating an emergency. With increasingly hazardous inclement weather on the rise, facilities will probably encounter a natural disaster or other emergency. Employees looking to quickly evacuate or shelter with residents won’t be thinking about the intricacies of the Health Insurance Portability and Accountability Act (HIPAA) Privacy or Security Rules. Enact your preparations now so you have peace of mind that a HIPAA breach won’t be an extra headache when everything else is tough. Stay Abreast of Current PHEs The Department of Health and Human Services (HHS) has declared three hurricane-related public health emergencies (PHEs), which offer regulatory relief for providers — including specific HIPAA-related flexibilities. At press time, HHS Secretary Xavier Becerra had already declared three separate PHEs for hurricanes that hit the U.S. in recent weeks. First, on Sept. 20, he declared a Hurricane Fiona PHE for Puerto Rico backdated to Sept. 17. Next, on Sept. 26, Becerra declared Hurricane Ian a PHE for Florida dated back to Sept. 23 and followed that up with another declaration for South Carolina on Sept. 30, backdated to Sept. 25. See the PHE declarations at https://aspr.hhs.gov/legal/PHE/Pages/default.aspx. Reminder: The HHS Secretary may waive some sanctions and penalties for covered entities (CEs) and business associates (BAs) under a PHE determination, but healthcare providers and their partners are still tasked with safeguarding patients’ (or, in this case, residents’) protected health information (PHI).
Test your knowledge on these 10 questions to see if you know the HIPAA essentials. 1. What are the three groups CEs can share PHI with in reference to public health activities during a PHE? A. public health authorities B. foreign governments at the direction of a public health authority or working in tandem with the authority C. people at risk of contracting or spreading disease D. all of the above 2. Give an example of a public health authority that a CE can share patients’ PHI with during a PHE — without prior authorization. A. the Centers for Disease Control and Prevention (CDC) B. a healthcare lawyer C. a neighbor D. all of the above 3. True or false: No matter the type of disaster or PHE, a CE is never relieved of distributing a notice of privacy practices. A. true B. false 4. What should a CE utilize before determining that it’s acceptable to share patients’ PHI with friends or family? A. another doctor’s opinion B. ICD-10-CM codes C. professional judgment D. enforcement agencies 5. What does this define under the HIPAA Privacy Rule: “The provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another?” A. payment B. treatment C. designated record set D. coding 6. True or false: A CE must continue to make every effort to safeguard PHI during a PHE, disclosing only the minimum information necessary to care and treat patients. A. true B. false 7. Under what regulations are the waivers associated with HIPAA sanctions and penalties addressed? A. The Affordable Care Act, section 5, and the CCPA B. The CARES Act, part 1, and the Consolidated Appropriations Act, 2022 C. The Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act D. all of the above 8. What is an example of an incident or emergency that would precipitate a PHE declaration? A. natural disaster B. mass shooting C. health crisis, epidemic, or pandemic D. all of the above 9. Are disclosures to the media about a patient’s PHI allowed during a PHE? A. yes, the media is a public health authority B. no, under no circumstances because that’s a HIPAA violation C. Yes, but only if the patient doesn’t object to the request for information, is incapacitated, the disclosure is in the best interest of the public and was previously OK’d with the patient’s written authorization D. none of the above Answers: 1. D 2. A 3. B 4. A 5. B 6. A 7. C 8. D 9. C