Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Information Security and Privacy Convergence and Collaboration | Main | Palin Email Hacker Indicted »

HIPAA Compliance During Emergencies and Disasters

Yesterday the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) posted a new HIPAA frequently asked question (FAQ) to their site; a great question that many organizations do not even consider until after the fact...

"Is the HIPAA Privacy Rule suspended during a national or public health emergency?

Answer:

No; however, the Secretary of HHS may waive certain provisions of the Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act.

What provisions may be waived

If the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule:

  1. the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care (45 CFR 164.510(b))
  2. the requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a))
  3. the requirement to distribute a notice of privacy practices (45 CFR 164.520)
  4. the patient's right to request privacy restrictions (45 CFR 164.522(a))
  5. the patient's right to request confidential communications (45 CFR 164.522(b))

When and to what entities does the waiver apply

If the Secretary issues such a waiver, it only applies:

  1. In the emergency area and for the emergency period identified in the public health emergency declaration.
  2. To hospitals that have instituted a disaster protocol. The waiver would apply to all patients at such hospitals.
  3. For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient's location. See 45 CFR 164.510(b)(4).

Learn More:

See http://www.hhs.gov/ocr/hipaa/KATRINAnHIPAA.pdf for information on sharing information in emergency situations."



I've seen security and privacy completely disregarded during times of emergencies and disasters. Often times it is justified considering the life and death situations. However, there have been some significant crimes occur with personally identifiable information (PII) as a result of unnecessary disregard for security practices after the immediate danger and emergency actions have passed.

The answers provided by the OCR to this FAQ seem reasonable. They put patient health and safety first during the disaster/emergency, which is certainly the right thing to do. They also provide a timeframe after which the healthcare provide must get back to implementing privacy and security protections once more.

Tags:                          
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 7, 2008 5:50 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/823

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.