Practice Management Alert

Reader Questions:

You Can Share This PHI in an Emergency

Published on Mon Sep 20, 2021

Question: I live in an area that is hit by hurricanes, and I want to be able to help patients when other providers may need their protected health information, but I want to remain compliant with HIPAA. Are there emergency exceptions for HIPAA?

Georgia Subscriber

Answer: The U.S. Department of Health and Human Services (HHS) provides guidelines specific for emergency situations where providers and health plans — covered entities and business associates — may need to share protected health information. HHS outlines when providers can share information and not be in violation of the HIPAA Privacy Rule.

The applicable situations fall into the following categories: treatment, notification, imminent danger, and facility directory.

Ideally, the health care provider should get verbal permission from individuals, HHS says, but if that is not possible due to the individual being incapacitated or otherwise unavailable, providers should use their professional judgement and act in the patient’s best interest.

Note: The HIPAA Privacy Rule only applies to covered entities; organizations like the American Red Cross are not covered entities and are therefore not subjected to the same rules.

Certain conditions must be met for the situation to qualify as an “emergency.”

HHS says: “If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

“the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
“the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
“the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
“the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
“the patient’s right to request confidential communications. See 45 CFR 164.522(b).

“If the Secretary issues such a waiver, it only applies: (1) in the emergency area and for the emergency period identified in the public health emergency declaration; (2) to hospitals that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.”

Find more information here, www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/index.html.

Practice Management Alert

Best Practices:
Navigate New Provider Credential Waiting Period With These Useful Tips
Don’t submit to myths or magical thinking when submitting claims for providers without credentials. As [...]

Audits:
Pinpoint Medical Necessity with These Communication Tips
Frame documentation this way to support your practice’s E/M coding and billing. “Base medical necessity [...]

News You Can Use:
Don’t Miss These Important Updates on QPP and MIPS
The policy shifts may include a delay in MVP reporting. The Quality Payment Program will [...]

Reader Questions:
You Can Share This PHI in an Emergency
Question: I live in an area that is hit by hurricanes, and I want to [...]

Reader Questions:
Heed This E/M Bullet Advice
Question: I am still getting used to the new rules for office/outpatient evaluation and management [...]

Reader Questions:
Know About This Provider Self-Disclosure Portal
Question: We recently hired a provider, and when I searched for their information on the [...]

View All