Posts Tagged with: PHI

  Back to top
Typing at a laptop
02 November 2017

$2.5 Million is an Expensive Laptop!

In April 2017, the U.S. Department of Health and Human Services (“HHS”) announced yet another HIPAA settlement agreement with a health care provider relating to a stolen mobile device containing Protected Health Information (“PHI”).  As part of this settlement agreement, CardioNet agreed to pay $2.5 million and implement a corrective action plan resulting from the […]

Flooded Houses
07 September 2017

Dealing with PHI after Hurricane Harvey (and Ot...

The Department of Health and Human Services (“HHS”) recently issued relief and other helpful guidance about dealing with Protected Health Information (“PHI”) in the wake of disasters like Hurricane Harvey.  You can review this guidance here. Waiver of Certain Provisions under the Privacy Rule It is important to remember that HIPAA’s Privacy Rule continues to […]

Email Disclaimer 

Please be advised that contacting Miller Johnson or one of its attorneys by email does not constitute establishing an attorney-client relationship or otherwise confidential relationship between you and the Firm. Please do not give us any information you regard as confidential until a formal attorney-client relationship has been established. Any information you give to us before establishing an attorney-client relationship will not be regarded as privileged or confidential. Do you wish to proceed?

Cancel I agree

Publication Signup 

"*" indicates required fields

To receive firm communications, please select from the list of topics, complete your contact information, and Sign Up below.
This field is hidden when viewing the form
Select Service*
This field is for validation purposes and should be left unchanged.

The Department of Health and Human Services (“HHS”) recently issued relief and other helpful guidance about dealing with Protected Health Information (“PHI”) in the wake of disasters like Hurricane Harvey.  You can review this guidance here.

Waiver of Certain Provisions under the Privacy Rule

It is important to remember that HIPAA’s Privacy Rule continues to apply during public health or other emergencies caused by natural disasters.  The Secretary of HHS may, however, waive certain provisions under the Privacy Rule for health care providers (but not all covered entities) that operate in areas that have received disaster declarations by the President.

If such a waiver is issued, it only applies:

  • In the emergency area identified in the public health emergency declaration;
  • To health care providers that have instituted a “disaster protocol”; and
  • For the shorter of:
    • 72 hours after the disaster protocol is implemented; or
    • The emergency period identified in the public health emergency declaration.

Most recently, Secretary Tom Price issued declarations of public health emergencies in Texas (available here) and Louisiana (available here).  As part of these public health emergencies, the following provisions of the Privacy Rule have been waived for health care providers in Texas and Louisiana:

  • The requirement to obtain a patient’s agreement to speak with family members or friends involved with the patient’s care.
  • The requirement to honor a patient’s request to opt-out of the health care provider’s facility directory.
  • The requirement to distribute Notices of Privacy Practices.
  • A patient’s right to request privacy restrictions.
  • A patient’s right to request confidential communications.

Other Helpful Reminders

The guidance issued by HHS also provides helpful reminders of when PHI may be permissibly disclosed, without a patient’s authorization, under the Privacy Rule:

  • Treatment. Covered entities may disclose PHI as necessary to treat the patient, or treat another person (e.g., another person who may be affected by the same emergency situation).
  • Public Health Activities. Covered entities may disclose PHI to public health authorities (e.g., the Centers for Disease Control and Prevention, or other state or local health departments) that is necessary to carry out the authority’s public health mission.
  • Family, Friends, and Others Involved in a Patient’s Care. Covered entities may disclose PHI to certain individuals—including disaster relief organizations, like the American Red Cross—involved in the patient’s care.  Verbal permission may be required from patients who are not unconscious or incapacitated.  In certain situations, limited PHI (i.e., limited facility directory information) may be disclosed to the media or other individuals not involved in the patient’s care.
  • Imminent Danger. Covered entities may disclose PHI to anyone necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.

In the event that PHI is disclosed under a situation described above (except for treatment), covered entities should remember that the disclosure of PHI is subject to HIPAA’s minimum necessary rule.

Emergency Access

While it is not specifically addressed in the recently issued guidance, covered entities must also establish and implement procedures that allow the covered entity to access electronic PHI in the event of an emergency.  So, it is important—especially in response to natural disasters—for covered entities to maintain an up-to-date emergency access or back-up plan.