• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

Privacy and Security in Disasters or Emergencies

July 7, 2009 Privacy No Comments

Families searching for loved ones in a presidential-declared disaster, whether a hurricane, tornado, earthquake or unnatural disasters, should not have to also overcome HIPAA privacy roadblocks. As our nation winds down mid-western tornado season and steps up Hurricane season, review the guidance issued by DHHS after hundreds of thousand of Hurricane Katrina and Rita displaced citizens tried to locate loved ones.

Privacy and Security in Disasters or Emergency Guidance

If the president declares an emergency or disaster and the secretary of HHS declares a public health emergency, the secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule, as noted here:

» the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b));

» the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a));

» the requirement to distribute a notice of privacy practices (45 CFR 164.520);

» the patient’s right to request privacy restrictions (45 CFR 164.522(a)); and

» the patient’s right to request confidential communications (45 CFR 164.522(b)).

When and to what entities does the waiver apply?

If the secretary issues such a waiver, it only applies:

» in the emergency area and for the emergency period identified in the public health emergency declaration.

» to hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.

» for up to 72 hours from the time the hospital implements its disaster protocol.

When the presidential or secretarial declaration terminates, a hospital must then comply with all requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location. See 45 CFR 164.510(b)(4). This guidance is available online at http://www.hhs.gov/ocr/hipaa/emergencyPPR.html.

Need help with Emergency Planning?

The following websites offer federally-developed planning tools.

1. Office for Civil Rights (OCR) the agency named to oversee privacy of confidential health information. This is HHS’s primary site for assisting you in emergency preparedness and disaster recovery planning and response. At its Web site, http://www.hhs.gov/ocr/hipaa/emergencyPPR.html, OCR provides links to its own planning documents and also provides links to other agencies inside and outside of HHS that have developed disaster recovery guidance tools (see number 2 in this list); other links will take you to the National Aging Network.

2. Agency for Healthcare Research and Quality. At AHRQ’s Web site, http://www.ahrq.gov/path/katrina.htm, you will find links to multiple tools and resources to assist in response and recovery efforts. Those that are most likely to affect a physician practice include

a. Personal protective equipment, decontamination, isolation/quarantine, and laboratory capacity

b. Computer staffing model for disaster preparedness response

c. Alternate site locator

d. Health Emergency Assistance Line and Triage Hub model

3. Decision tool to help you determine who, when, and how health information can be disclosed in emergencies. That tool is available at http://www.hhs.gov/ocr/hipaa/decisiontool/tool/source1.html.

Tags: DHHSDisastersEmergenciesHIPAA Privacy
No Comments
Share
0

You also might be interested in

Final HIPAA Rule: Security Statutory Authority and Direct Regulation of Business Associates

Feb 4, 2013

February 4, 2013.  Today, we cover the security safeguards of[...]

HIPAA Final Rule: Enforcement by State Attorneys General

Feb 26, 2013

February 26, 2013.  Today, we examine the HIPAA Rules enforcement[...]

Reported Breaches of 500 or More Individuals up to 93 and Affecting Over 2.5 Million Individuals; Enforcement and Penalties

Jun 7, 2010

As of Friday, June 4, 2010, 93 breaches affecting 500[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next