HIPAA For MSPs HIPAA Crisis Rules
00:00:00 00:00:00

Today we are discussing HIPAA crisis plans.  When listening to the news conference about the Pulse Nightclub tragedy on Sunday morning, the last thing I expected to hear was someone mention HIPAA. But, there it was. The mayor said that the hospital couldn’t help the families find their loved ones because of HIPAA. Later, he added that the White House had done a special waiver for HIPAA to solve the problem.

It only added to my anger and shock at the time. HIPAA shouldn’t even be in that particular discussion at all!

Today we know more. As always, during times of crisis and chaos things do become confused and incorrect statements are made. It is a normal occurrence in troubling situations. But, we need to address it specifically to clear up a few points.

  1. There was no “special waiver from the White House”. There was no need for one at all.
  2. People, even in a crisis, should not be invoking HIPAA over caring for the patient properly.
  3. The hospitals talked about implementing their crisis plan – why wasn’t HIPAA addressed in the plan. It should be!

HIPAA Crisis Plans

During confusion in a crisis, there is going to be misinformation, but we should do our best to sort the facts from the fiction. OCR released guidelines in 2014 on how to share patient information during a crisis. You can’t set aside the HIPAA privacy rule, but you can apply it differently. HHS can waive sanctions and penalties, but HIPAA does not go out the window.

Invoking HIPAA comes too easy for some folks

A nurse that I knew once found a stray dog and took it to the vet to get its health checked. She called later to check on the dog, and the vet said that they could not tell her the details of the dog’s visit because of HIPAA. HIPAA doesn’t apply to a dog!

HIPAA doesn’t mean don’t use judgment. Use reasonable judgement when caring for a patient, don’t be a robot who can’t use common sense to allow someone to be helped during a crisis. HIPAA crisis plans are almost entirely based off of judgement from the caretaker. Remember, it’s all about patient care.

HIPAA requirements should be in your crisis plans

The hospitals in Orlando reported that this shooting overwhelmed their crisis plans. With that being said, they at least had several gurneys waiting and were somewhat prepared for the situation. It is obvious that this crisis plan was effective for the most part, but why was there no HIPAA crisis plans included in their plan? If they know how they are going to manage patients in advance the staff should know what information is allowed to be shared and with who.

Situational Examples

Do HIPAA crisis plans apply?

  • Nurse on Facebook who looked into the face of evil in a previous episode
  • Situation #3: A member of the press calls to ask about the status of a patient in the ED.
    What HIPAA says: Location and general health status (i.e., directory information) can be disclosed if the requestor identifies the patient by name unless the patient has objected to such disclosures. This rule prevents inappropriate disclosures when, for example, a caller inquires about the status of “the gunshot victim.” A provider may disclose PHI to the media where necessary to identify, locate, or notify individuals responsible for the patient’s care, but medhipaa crisis plansia-initiated inquiries about a specific patient do not fall within this exception.
  • Situation #8: The police bring a patient into the trauma bay; after resuscitation, the police ask about the patient’s status.
    What HIPAA says: PHI may be disclosed to law enforcement without patient authorization in limited situations. For example, if a law enforcement official requests PHI about a patient who is suspected to be a crime victim and the patient cannot agree to disclosure due to incapacity or other emergency circumstances, the provider may disclose the PHI if s/he determines that disclosure is in the patient’s best interest and the law enforcement official represents that:

    1. the PHI is needed to determine whether another person violated the law;
    2. the PHI is not intended to be used against the patient;
    3. an immediate law enforcement activity depends on disclosure; and
    4. the activity would be materially and adversely affected by waiting until the patient is able to agree to the disclosure.

    Disclosures without authorization outside the specified law enforcement exceptions must be limited to directory information or for purposes of notifying the patient’s family, unless the patient has objected to such disclosures.