Medicare Compliance & Reimbursement

Privacy controls are tough on a good day; find out what you can do in a disaster.

As the United States continues to reel from the after effects of Hurricanes ‘ Harvey and Irma, many healthcare teams need guidance to circumvent HIPAA issues for systems, offices, and hospitals still seriously impacted by natural disaster. And with Hurricanes’ Jose and Maria adding more problems to the feds response to disaster relief and care, Medicare providers must prepare for more public health issues ahead.

Background: Hurricane and then Tropical Storm Harvey left Texas reeling from over 52 inches of rain and heavy winds, then moved on to destroy parts of the Louisiana Gulf Coast in late August and early September. Flooding and massive infrastructure losses ensued. Less than two weeks later, Hurricane Irma — a Category 5 storm through the Caribbean, which hit southern Florida in different places at Categories 3 and 4 respectively — wreaked havoc on Puerto Rico, the U.S. Virgin Islands, Florida, South Carolina, and Georgia leaving misery and chaos in its wake. Thousands remain without access to power, fresh water, and shelter in some of the impacted areas.

“The Florida Keys were particularly hard hit in this massive storm, and all current indicators are that the medical infrastructure is damaged and in some cases may be destroyed,” explained HHS Assistant Secretary for Preparedness and Response Robert Kadlec, MD in a release discussing HHS Secretary Tom Price’s disbursement of 675 medical personnel to Puerto Rico, the U.S. Virgin Islands, and Florida as well as much needed medical equipment to damaged zones.

Public health crisis: The HHS determined Public Health Emergencies (PHEs) in all of the affected states and U.S. territories for “modifications of requirements” of some federal HIPAA regulations under Waiver 1135.

Here is a list of the dates when the PHEs and 1135 Waivers went active:

• Texas — Aug. 26, 2017
• Louisiana — Aug. 28, 2017
• The Commonwealth of Puerto Rico — Sept. 6, 2017
• The Territory of the U.S. Virgin Islands — Sept. 6, 2017
• Florida — Sept. 7, 2017
• South Carolina — Sept. 8, 2017
• Georgia — Sept. 8, 2017

Remember These 1135 Waiver Rules

A declaration of a PHE eases the privacy rules under HIPAA, but both the President of the United States and the HHS Secretary must weigh in before disclosures are allowed. Once the President declares an emergency or disaster under the Stafford Act or the National Emergencies Act and the HHS Secretary declares a PHE under the Public Health Service Act, providers can then use those determinations to utilize the 1135 Waiver form.

Federal rules: CMS is able to waive certain documentation requirements to help ensure healthcare providers can deliver care to patients who have no health records, or even no proof of their Medicare status, the HHS release noted. Some “sanctions and penalties” are also waived by the HHS Secretary for covered entities (CEs) under a PHE determination. Here is a list of the HIPAA Privacy Rule specifics that are eligible for waiverin a PHE, according to the HHS Hurricane Irma fact sheet:

• The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. (45 CFR 164.510[b])
• The requirement to honor a request to opt out of the facility directory. (45 CFR 164.510[a])
• The requirement to distribute a notice of privacy practices. (45 CFR 164.520)
• The patient’s right to request privacy restrictions. (45 CFR 164.522[a])
• The patient’s right to request confidential communications. (45 CFR 164.522[b])

Read the HHS fact sheet at: www.hhs.gov/sites/default/files/hurricane-irma-hipaa-bulletin.pdf.

Keep Abreast of Your State’s Regulations

“Federal laws and regulations permit, and many state laws require, the disclosure of patient information without a patient’s consent or authorization for certain public health activities,” pointed out attorney Laurie Cohen in a blog posting for the law firm Nixon Peabody LLP in Albany, New York.

According to the OCR guidance, the HIPAA Privacy Rule allows CEs to disclose necessary PHI without individual authorization:

• To a public health authority, such as the Centers forDisease Control and Prevention (CDC), or a state or local health department authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability.
• At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority.
• To persons at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the CE to notify such persons as necessary to prevent or control the spread of the disease, or otherwise to carry out public health interventions or investigations.

Key point: It’s wise to remember that the 1135 Waiver is only good in the affected emergency zones, and for an allotted time period determined by the HHS Secretary in the PHE declaration, the fact sheet mentions. Covered entities, business associates, and volunteers are covered — at hospitals “that have instituted a disaster protocol … and for up to 72 hours” after its implementation. When the 72 hours are up, it’s business as usual and HIPAA must be followed, the advice suggested.

“Emergencies such as these are especially hard on the most vulnerable members of our community, and all of us are committed to doing whatever we can to lend a hand in this public health emergency,” said Roger Severino, OCR Director, in a release. “OCR is providing resources and ongoing technical assistance to help make sure people get the help they need from the emergency responders and management officials as they continue their tireless and heroic efforts to assist the people … in this critical situation.”

Reminder: It is essential that despite working through anatural disaster that CEs and their associates continueto safeguard patients’ privacy the best they can. Although HIPAA permits disclosures of PHI withoutpatient authorization for public health activities and emergencies, you “cannot disregard a patient’s rightto privacy in those cases where a patient’s information has been the subject of a public health report,” Cohen warned.

Find all the most updated Hurricanes’ Harvey and Irma resources from CMS at: www.cms.gov/About-CMS/Agency-Information/Emergency/Hurricanes.html.