Health Information Management

OCR releases new HIPAA guidance for emergencies

HIM-HIPAA Insider, November 17, 2014

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

In light of the recent Ebola outbreak in the U.S., the Office for Civil Rights (OCR) released new guidance November 10 regarding the release of PHI in emergency situations.

According to OCR, covered entities (CE) and business associates should adhere to the HIPAA Privacy Rule standards when releasing PHI for treatment, to protect the nation’s public health, and for other critical purposes. CEs may disclose PHI without the patient’s consent for the following reasons:
  • To treat the patient or another patient, which includes coordination and management of care and services by one or more healthcare providers and others, or for consultation between providers, and referrals
  • To grant public health authorities (e.g., the Centers for Disease Control and Prevention) access to PHI that is critical to carrying out its public health mission
  • To provide information for the patient’s family members, relatives, friends, or other persons identified by the patient as involved in the patient’s care
  • As necessary to identify or locate a patient and notify his or her family, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death
  • To prevent or lessen a serious and imminent threat to the health and safety of a person or the public
In addition, the HIPAA Privacy Rule permits the release of limited facility directory information if the patient has not objected to or restricted the release of such information. If the patient is incapacitated, CEs may disclose this information if it is believed to be in the best interest of the patient and is consistent with any prior preferences of the patient, according to OCR.
In most instances, CEs must make an effort to adhere to minimum necessary requirements by disclosing only that information that is necessary to care for the patient, except when providing patient information to healthcare providers. BAs may disclose the minimum necessary information when authorized to do so by a CE or BA to the extent outlined in a BA agreement, according to OCR.
CEs must implement reasonable safeguards to protect PHI against impermissible uses and disclosures and must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule for ePHI, according to OCR.
This article originally appeared on HCPro’s HIPAA Update blog. Stay up to date on all things HIPAA by signing up for e-mail updates from this blog.


Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

    Briefings on APCs
  • Briefings on APCs

    Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...

  • HIM Briefings

    Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...

  • Briefings on Coding Compliance Strategies

    Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...

  • Briefings on HIPAA

    How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...

  • APCs Insider

    This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...

Most Popular