By Tara Gibson - May 26, 2020
The U.S. Secretary of Health and Human Services - Alex Azar - has published a bulletin declaring a limited waiver of the HIPAA Privacy Rule and clarifying the circumstances in which it is allowed to disclose Personal Identifiable Information during an emergency situation.
The purpose of the HIPAA Privacy Rule is to prevent the unauthorized disclosure of Personal Identifiable Information (PII) in the healthcare and healthcare insurance industries. With the exception of disclosing PII for treatment purposes, in most cases the Rule requires a patient's consent which must be obtained before information about them is shared - even with family members or friends involved in the patient's care.
During public health emergencies - such as the current coronavirus COVID-19 pandemic - some or all of the HIPAA Privacy Rule can be waived at the discretion of the U.S. Secretary for Health and Human Services. Therefore, in order to clarify which elements of the Rule are currently being waived and the circumstances in which each of the waivers applies, Secretary Azar published a special bulletin.
Strictly speaking, no areas of the Privacy Rule have been waived. Instead, Secretary Azar has stated the U.S. Department for Health and Human Services will not pursue sanctions and penalties against a hospital (note - not any HIPAA Covered Entity) that does not comply with the following provisions of the HIPAA Privacy Rule:
With the exception of allowing medical personnel to speak with family members and friends about the patient's care without the patient's consent, the “relaxation” of enforcement action for failing to comply with the remaining provisions only slightly simplifies hospital processes and does little to alleviate the intense pressure medical personnel are under.
However, in the bulletin, Secretary Azar has also clarified the circumstances in which it is permitted to disclose patient information in emergency situations without consent and without a waiver. These circumstances apply to all HIPAA Covered Entities and Business Associates provided only the minimum amount of information necessary is disclosed.
Under normal circumstances, disclosures of PHI are only permitted to public health authorities and the media with the patient's consent. While the public health emergency is ongoing, Covered Entities and Business Associates will be permitted to disclose the minimum necessary PHI to public health authorities and the media unless a patient has previously objected to their information being shared.
More significant in terms of public health is the circumstance that Covered Entities and Business Associates can share the minimum necessary PHI to “prevent or lessen a serious and imminent threat”. In theory, this means PHI can be disclosed to anyone where a reasonable risk of contracting or spreading coronavirus exists, or where the opportunity exists to prevent or lessen the outbreak in the community.
Contract tracing is one of the most effective ways to prevent the spread of coronavirus. When an individual is diagnosed with coronavirus COVID-19, everybody who has been in contact with the infected individual is notified of their “contact status”, what it means for the contact (usually self-quarantine), and what actions to take if symptoms of the virus start to manifest.
One of the biggest challenges of contact tracing is locating everybody who has been in contact with the infected individual to prevent the spread of the virus escalating. In circumstances where there has been a lengthy time lapse between the initial contact with the infected individual, it might also be necessary to alert all the contacts' contacts of the risk of infection. Therefore speed is of the essence.
Under normal circumstances, hospitals would not be able to disclose a diagnosis of coronavirus COVID-19 to the community because of the HIPAA Privacy Rule. However, due to Secretary Azar's clarification on disclosures during emergency situations, it is now possible to send a geo-targeted mass notification to areas in which the infected individual may have come into contact with members of the community.
Most hospitals have mass notification systems to alert occupants to emergencies and to communicate non-medical information between management and staff. These are not suitable for sharing patient information because they lack the safeguards of the HIPAA Security Rule to prevent the unauthorized disclosure of PHI (for example, devices that receive PHI have to have automatic log-off capabilities, which would make them unsuitable for receiving emergency alerts).
However, where mass notification systems have SMS opt-in capabilities, they can be used to send coronavirus alerts to communities within minutes of a diagnosis being confirmed. Naturally the alerts would contain the minimum necessary information about the infected individual, but enough to solicit enquiries from members of the public who have been in contact with them.
For example, if an infected individual is known to have been drinking in Joe's Pub the previous weekend, the message could read “ABC Hospital advises anybody who was in contact with a tall, blond-haired man at Joe's Pub last weekend to get in touch”. As the opt-in service would be known to be a coronavirus alert service, the message should be sufficient to advise recipients why they should get in touch urgently. Ideally, Joe's Pub should also be contacted to spread the word among its regular customers.
During the current coronavirus pandemic, the speed at which contacts can be identified and quarantined can make the difference between the virus being contained and spreading throughout a community.
If your hospital would like further information about mass notification systems with SMS opt-in capabilities, do not hesitate to get in touch.
Tara is a Marketing Coordinator on the Rave Mobile Safety marketing team. She loves writing about all things K-12, State & Local, Higher Ed, Corporate, and Healthcare, and manages the Rave social media channels. When she's not working, she's taking care of her smiley, shoe eating, Instagram-famous fur baby, Enzo!
The demand for school security software has never been greater due to parents, school leaders, and politicians...