OCR’s Guidance on HIPAA-Permissible Information Sharing During Patient Opioid Crisis

Share

In response to President Trump’s call to action on opioids, acting Department of Health and Human Services (HHS) Secretary Eric D. Hargan declared the opioid crisis a national public health emergency on October 26, 2017.  The next day, HHS-Office for Civil Rights (OCR) released new guidance on when and how health care providers can share a patient’s health information with the patient’s family and close friends during certain crisis situations, such as opioid overdoses, without violating the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.

HIPAA prohibits health care providers from sharing protected health information about patients who have capacity to make their own health care decisions and object to information sharing, unless there is a serious and imminent threat of harm or safety.  However, health care professionals may disclose some health information without a patient’s permission under certain circumstances, including:

  • Sharing health information with family, close friends, or any other person identified by the patient, and involved in caring for the patient if the provider determines that doing so is in the incapacitated or unconscious patient’s best interests and the information is directly related to the family or friend’s involvement in the patient’s health care or payment for care. The provider may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest.
  • Informing persons in a position to prevent or lessen a serious or imminent threat to the patient’s health or safety.

Continue reading “OCR’s Guidance on HIPAA-Permissible Information Sharing During Patient Opioid Crisis”

HHS Declares Public Health Emergency in California – HIPAA Waivers Apply

Share

In the aftermath of the California wildfires, the Department of Health and Human Services (HHS) has waived sanctions and penalties against covered entities that fail to comply with provisions of the HIPAA Privacy Rule.

The waiver is similar to HHS’ response to Hurricanes Harvey and Irma, which we discussed in a previous blog post. This waiver only applies (1) in the emergency area and for the emergency period identified in the public health emergency declaration, (2) to hospitals that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol. Continue reading “HHS Declares Public Health Emergency in California – HIPAA Waivers Apply”

OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts

Share

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a reminder to its listserv subscribers following the Las Vegas Strip shooting on October 1, 2017, that HIPAA covered entities are permitted to share patient protected health information (PHI) under the HIPAA Privacy Rule  to carry out specific purposes and under certain circumstances.

For most disclosures, however, a covered entity must make reasonable efforts to limit the information disclosed to that which is minimally necessary to accomplish the purpose.  Per OCR’s reminder, covered entities may rely on representations from a public health authority or other public official that the requested information is the minimum necessary for the purpose.

The following is a summary of OCR’s reminder and the uses and disclosures available under 45 C.F.R. §164.510.

Continue reading “OCR Reminder on How to Manage HIPAA Privacy Requirements during Emergency Relief Efforts”

Pending IoT Legislation Would Impose Significant Obligations on Manufacturers

Share

With the House and Senate returning to Washington in September, two recently-introduced Senate bills seek to address perceived vulnerabilities in the security of Internet of Things (IoT) devices sold to the federal government and medical devices which regularly connect to the Internet.

Among the key takeaways in the legislation:

  • Legislation covers both products sold to the federal government and medical devices;
  • Legislation addresses “life of device” obligations of IoT device manufacturers;
  • Disclosure and Certification Requirements could create additional liability for manufacturers of Internet of Things devices.

Continue reading “Pending IoT Legislation Would Impose Significant Obligations on Manufacturers”

HHS-OCR’s Response to Hurricanes Harvey and Irma

Share

HHS-OCR issued a limited waiver of HIPAA Sanctions and Penalties Notice for both Hurricane Harvey and Hurricane Irma. In late August and early September, Secretary Price declared Public Health Emergencies in Texas, Louisiana, Puerto Rico, the U.S. Virgin Islands, and Florida and President Trump shortly followed suit with emergency declarations for both hurricanes, as well. Since both President Trump and Secretary Price declared an emergency for Hurricane Harvey and Hurricane Irma, the Secretary of HHS may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule.

Continue reading “HHS-OCR’s Response to Hurricanes Harvey and Irma”

DC Circuit Deepens Circuit Split on Data Breach Class Standing

Share

***09/06/17 UPDATE***

On Wednesday, September 6, the DC Circuit Court of Appeals granted an unopposed motion to stay its decision that reversed a district court order dismissing a potential class action arising from a 2014 data breach Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108.  The order stays the mandate until December 7, 2017.

***ORIGINAL POST***

Last month, a three-judge panel on the United States Court of Appeals for the District of Columbia unanimously reversed a district court order dismissing a potential class action arising from a 2014 data breach,  Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108.  In reversing that order, the court permitted a health insurance company’s customers to proceed against that carrier, CareFirst, which serves one million customers in the District of Columbia, Maryland and Virginia.
Continue reading “DC Circuit Deepens Circuit Split on Data Breach Class Standing”

©2024 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Attorney Advertising.
Privacy Policy