What are the Rules of HIPAA During an Emergency?

January 25, 2017

A recent scenario brought up questions of HIPAA compliance during an emergency, such as patient exhibiting erratic behavior.

Every practice has had to deal with difficult patients from time to time.  However, some patients turn out to be more than any practice or physician are prepared to handle.

I recently worked with a long time client in handling a situation with a challenging patient.  This patient had not been seen in the practice for over two years, but would often call demanding to talk with different providers and would berate staff and physicians alike.  None of the calls had anything to do with her medical care or needs.  These episodes would often be followed by calls from family members apologizing for the patient's behavior,  suggesting she was not taking her prescribed medications.

After the last contact with the patient, our client sought legal guidance. We sent a letter on behalf of the practice formally terminating the patient, in accordance with recommended guidelines.  The letter also demanded that the patient no longer contact the practice or its providers, or engage in further harassment.  The patient thereafter contacted our law office and "thanked" us for the letter.  She sounded very pleasant and calm.

A month later, the patient again contacted the clinic. This time, however, she threatened the practice and its physicians with physical harm and the practice began to worry.  Should they be doing something more? Should they call the police? Should they contact family members? Were they overreacting?  The client called our office immediately to discuss and, mid- discussion, the patient called again suggesting she was physically on her way to the practice's office.  Her words indicated the practice should be ready to "protect itself from her." Truly alarmed, the client contacted the police without hesitation. 

One of the most interesting questions to arise out of this situation is whether or not the practice should have called the patient's family members.  The patient was not under treatment of anyone in the practice, although her contact information and other data was related to the period of time when she had been a patient, and would likely be considered protected health information (PHI).  Moreover, the patient appeared to view the practice as her healthcare provider.  Would HIPAA have allowed the practice to reach out to family?

Another incident which recently occurred in our practice, which raises similar issues, is the case of a patient exhibiting behavior and specific threats of self-harm, which created concern for our physician client.  This client contacted us to find out whether he was able to contact the patient's family to let them know of his concerns, without implicating HIPAA.

From a strictly HIPAA perspective, there should be no concern about violating HIPAA in the event of either one of the fact scenarios described above.  Physicians can share patient information under the HIPAA privacy rule in an emergency situation when necessary to treat a patient, to protect the public and for other critical purposes.  For example, a covered entity may share PHI with a patient's family members, relatives, friends or other persons identified by the patient as involved in the patient's care.  A covered entity also may share information about a patient as necessary to identify, locate and notify family members, guardians, or anyone else responsible for the patient's care, of the patient's location, general condition, or death.  This may include, where necessary to notify family members and others, the police, the press, or the public at large.  Additionally, healthcare providers may share patient information with anyone as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public - consistent with applicable law and the provider's standards of ethical conduct.  It is, however, important to note that even in an emergency situation, covered entities must still continue to implement reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures.

Fortunately, both of the above situations worked out well in the sense that everyone is safe and alive. The suicidal patient's family was contacted and he is receiving appropriate treatment. With regard to the other patient, the police were able to locate her at her home and admitted her for hospital care upon a display of erratic and disturbing behavior.  The practice is currently considering whether an Order of Protection is appropriate.

Make sure you and your practice staff are educated and prepared to deal with emergent patient issues.  HIPAA is intended to protect patient privacy and does not prohibit a covered entity from using PHI when reasonably necessary to protect patients, practice staff or the public from harm.