HIPAA Privacy In The Aftermath Of Sandy: Be Prepared For The Next Emergency

Author:Mr Ryan Blaney
Profession:Proskauer Rose LLP

As health care providers, patients, family members, friends, and disaster relief agencies such as the American Red Cross continue to grapple with the aftermath of Hurricane Sandy it is important to be mindful of privacy regulations and to prepare in advance for the next emergency. The Health Insurance Portability and Accountability Actof 1996 ("HIPAA" or "Privacy Rule") protects individually identifiable health information held by "covered entities." The information protected is referred to as protected health information or PHI. The Privacy Rule permits covered entities to disclose PHI for a variety of purposes including to (a) treat patients; (b) identify, locate and notify family members, guardians, or anyone else responsible for an individual's care; (c) obtain the services of disaster relief agencies; (d) conduct public health activities; and (e) prevent or lessen serious and imminent threats to health or safety.

The U.S. Department of Health and Human Services ("HHS") provides guidelines for disclosures before and during emergencies.HHS developed a flowchart decision tool to assist health care providers during a public health emergency.Here is a link to HHS's Flowchart Decision Tool.The Flowchart Decision Tool asks three essential questions.First, who is the source of the information to be disclosed?If the source of the information is a covered entity (i.e., a health plan, health care provider, or a health care clearinghouse) then the decision maker needs to answer the next question.Second, to whom is the information being disclosed?Is the recipient of the information a Public Health Authority ("PHA")?A PHA is defined as an agency or authority of the United States Government, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, that is responsible for public health matters as a part of its official mandate, or a person or entity acting under a grant of authority from a contract with such agency.Third, does the covered entity have a signed authorization permitting the disclosure?The covered entity must obtain individual authorization, unless the disclosure is permitted by another provision of the Privacy Rule (i.e., obtain the services of disaster relief agencies or prevent or lessen serious and imminent threats to health and safety).A valid authorization includes (a) a meaningful description of the information to be disclosed; (b) the name of the individual or the name of the person authorized to...

To continue reading