Protecting Employee Health Information During Emergency Situations

By Lehr Middlebrooks Vreeland & Thompson, P.C.

September 21, 2017

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) maintains a “Privacy Rule” that protects a person’s health information from unauthorized disclosure by “covered entities.” Covered entities are health care providers and individual or group health plans that provide and pay for the cost of medical care, which often include employers. The Privacy Rule balances individual protection with disclosures necessary for medical treatment or responding to certain emergencies. For example, an employee’s protected health information (PHI) can be disclosed to law enforcement to comply with a court order, respond to an administrative subpoena or investigative demand, or when PHI is evidence of a crime, among other relative situations. However, when the disclosure is not a permitted disclosure, the covered entity must obtain individual authorization.

Even in emergency situations, covered entities are expected to continue to implement safeguards to protect patient or employment information against impermissible disclosures.

This can be a struggle for employers and other coveredentities during emergencies like weather events or other natural disasters. Hurricane Harvey and Irma are good examples of emergency situations wherein certain disclosures might be necessary for medical treatment or to identify, locate, or notify family members, guardians, or other people responsible for an employee’s care. Harvey and Irma displaced thousands of people, separated families across state laws, and affected communications channels through downed power lines and closed-off internet access. As such, in these situations, obtaining patient or employee permission to disclose PHI to family, public health officials, or medical treatment providers is almost impossible. Additionally, the potential for significant damage to property can impact a covered entity’s computer and data systems, placing their employee and patient PHI in danger. This type of situation puts covered entities between a rock and a hard place as impermissible disclosure and/or damage of PHI can result in significant monetary penalties for the covered entity.

In response to Hurricane Harvey and Irma, Health and Human Services (HHS) Secretary Tom Price released a Limited Waiver of HIPAA Sanctions and Penalties. The Waiver explained that while the HIPAA Privacy Rule was not suspended, HHS was authorized to waive certain provisions to facilitate necessary communications and treatment. More specifically, HHS waived sanctions and penalties against hospitals that failed comply with certain HIPAA provisions including: (1) the requirements to obtain a patients agreement to speak with family members regarding medical care, (2) the requirements to distribute a notice of privacy practices, and (3) a patient’s right to request privacy restrictions and confidential communications.

While this waiver was not extended to all covered entities, was solely applicable to hospitals, and was arguably not broad enough, it is important for all employers to recognize and understand it. When emergency situations like weather events or natural disasters impact your local area and cause concern for employee health and safety, where practical, you should follow HHS press releases and related news to determine if there are any relevant waivers or protocols that might impact you as a covered entity.

Many entities and health-related organizations see HHS’s waiver action as a good sign that HHS will be more willing to cut through red tape in emergencies and assist covered entities in doing their job and helping employees and patients. As such, it will be important to follow future developments in this area. To aid covered entities in understanding permissible disclosures during an emergency, HHS has a HIPAA Privacy Decision Tool for Emergency Preparedness Planning located on its website.

Additionally, these recent emergency events show the importance of having systematic safeguards and protocols in place during emergencies. HHS’s Office of Civil Rights issued another bulletin following Hurricanes Harvey and Irma regarding how covered entities should protect electronic protected health information (ePHI) during an emergency. HHS stressed that specifically during emergencies, it is crucial for covered entities to keep ePHI available and accessible. The bulletin reminds covered entities that they are required to create and maintain contingency plans to protect information systems that could be damaged during an emergency or natural disaster.

A covered entity’s emergency contingency plan must include several details:

(1) A data backup plan designed to create and maintain copies of ePHI that is retrievable offsite or on the Cloud;
(2) Disaster recovery procedures that are designed to restore lost data, including maintenance of hardware and applications and contain information for necessary vendors; and
(3) An emergency mode operational plan, which outlines procedures to protect ePHI during an emergency, including identifying crisis team members and outside resources to support emergency operations and creating and testing an evacuation plan.

HIPAA also requires covered entities to periodically test, evaluate, and revise contingency plans to ensure effectiveness. Covered entities are also required to determine what software applications and data are most critical to support and protect during an emergency and adapt their contingency plan as necessary.

As hurricane season continues and winter weather hazards are on the horizon, it is crucial for all covered entities, including employers, to take steps to ensure data systems are sufficiently protected and can outlast a potential weather-related emergency. This will likely depend on a covered entity’s size, volume of data, and operational systems currently in place. As such, it is important for any covered entity concerned about their information-systems’ security protocols and procedures to discuss current and additional protections with their IT Department and legal counsel.