Permissible Disclosures during Crisis – From the Office for Civil Rights:
A new memo from the U.S. Office for Civil Rights (OCR) clarifies permissible disclosures of private health information during this time of nationwide emergency over the novel coronavirus. The memo further announces that for 72-hour-periods of time, some requirements relating to patient communications will be eased for hospitals as they put disaster plans in place.
The important context is this:
Under the Health Insurance Portability and Accountability Act (HIPAA), providers have latitude in releasing information to protect the public health.
However, HIPAA security protections remain critical, and access to databases should be tightly controlled. The last thing any provider needs is an IT intrusion to add to the chaos.
Much of the OCR memo reiterates permissible disclosures that are nothing new to HIPAA. These are common-sense provisions that say yes, you can release information as needed, and without prior patient authorization, to:
• Public health authorities or others responsible for public safety;
• Family and friends involved in a patient’s care;
• Those who might face serious harm or be at risk of contracting or spreading a disease.
The following excerpt summarizes the leverage accorded to health professionals:
“Providers may disclose a patient’s health information to anyone who is in a position to prevent or lessen serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.”
In sum: Use professional judgment. Act in good faith. Disclose the minimum necessary. Meanwhile, beef up IT security to mitigate the risk of another kind of virus at the worst possible time.
Diane Evans is Publisher for MyHIPAA Guide, a HIPAA consultancy and subscription service. She can be reached at [email protected].