HIPAA in the ER: Exceptions, suggestions for compliance in a chaotic clinical setting
The emergency room (ER) is one place where unpredictability is the norm, where critical and noncritical cases walk through the same doors, and where 2 a.m. on a weekday can resemble Grand Central Station at rush hour.
HIPAA requirements only further complicate work in the ER if you don’t have the right policies and procedures to address known challenges.
“Chaotic settings do not mean sloppy use and sharing of PHI [is acceptable],” says Susan A. Miller, JD, chief operations and privacy officer of HealthTransactions, Inc. Staff members will have trouble if their guide to HIPAA compliance in the ER consists of imprecise procedures and sloppy training, she says.
Why the ER is different
Protecting patient privacy in the ER is important, but it’s not necessarily the top priority, says Michael Tulloch, MD, an internist at a private practice in Potsdam, NY. “In the emergency room, the main priority is to save life and limb,” says Tulloch, who has also worked in several ERs in rural and metropolitan settings.“Adhering to HIPAA is of secondary importance, though efforts should be made to conform to HIPAA by both individual effort and administrative policy.”
HIPAA remains the foundation for protecting patient information, Miller says. “But the most important tasks in an ER are to make sure that patients with an emergency get the care they need without regard toHIPAA,” she adds.
ER staff members work in a chaotic environment where lives are regularly saved and lost and where many patients, family members, and others are often present. How can HIPAA hold ER staff members to the same standards as other healthcare professionals in less stressful settings?
It doesn’t. Ensure that your ER staff understands that protecting patient information is of utmost importance and that HIPAA includes provisions that help make compliance in an ER realistic.
Provisions for ER compliance
First, HIPAA considers oral communication in most ER settings incidental communication, Miller says.
HIPAA also permits clinicians to use their judgment when a patient, family member, or friend is unable to make decisions.“And the ER is one such setting where the treating clinician can make a judgment to use and share the patient’s information if the patient or another cannot consent,” Miller says.
Consider the patient who arrives in the ER unconscious but with medication or a medical ID card in his or her wallet, pocket, or purse. A physician in this situation can obtain and use this information, even though doing so might otherwise be a HIPAA violation.
Consider another scenario involving an emergency in which obtaining consent is impossible due to the patient’s condition, Tulloch says. The physician may need to obtain or release information about the patient for the patient’s well-being or to communicate with a concerned party. The need to provide care overrides the protection HIPAA provides, he says. Tulloch cites as an example informing a parent that his or her adult daughter has been in a serious accident and that the hospital is admitting her to the ICU.
The safety and care of patients must trump HIPAA.
“Assuming that these are not gross, careless acts, such as allowing visitors into chart rooms to see other patients’ charts, then HIPAA will make allowances for busy healthcare environments when private medical information may be inadvertently seen by people who have no right to it,” Tulloch says.
HIPAA considers the challenges of the ER, but it doesn’t let staff members dismiss its requirements entirely. Protecting patient information is still necessary.
Typical trouble areas
Incidental oral communication is normal in an ER and is not a HIPAA violation.
Communication outside the ER walls doesn’t fall within the same category.
“There is a great deal of verbal information sharing in an ER, and some of it might walk right out the door,” Miller says.
But some sharing of information may be malicious, if the intent is to harm a patient’s reputation, for example. However, a severe outcome such as identity theft is unlikely because business and financial information is generally not discussed openly in an ER, Miller says.
Some communications within an ER are more problematic and risky than others.
Miller recalls an occasion when she clearly heard three clinicians discussing x-rays and using the patient’s name in the presence of others when discretion and quieter voices may have prevented others from hearing their conversation.
Many ERs use an electronic board with patient names, bed assignment, and vital signs, Miller says. And it is meant to be visible from across the room. The board also alerts staff members to problems, such as a vital sign that is not in a normal range. “If this is described as a patient safety issue, then most people will accept this type of in-formation sharing,” she says.
Take an inventory of your ER, identify all areas where you openly display or communicate patient information, and decide whether each one is necessary for patient safety. Include your findings in your facility’s policy so that staff members understand why these situations don’t constitute HIPAA violations.
Investigate your security measures to determine which areas of the ER non-staff members may enter. Ensure that your policies address law enforcement officers’ access in your ER.
“I have felt uncomfortable with the degree of wandering around the ER that law enforcement does,” Tulloch says.“Police ask healthcare workers for protected information and may get it due to thefear and lack of training regarding law enforcement’s rights and limitations.”
Tulloch says he thinks violations by law enforcement officials are far too common. “They are just too bold and nosey and, because they are the law, they feel they are above the law,” he says.
Consider including a subsection in your ER security policy that addresses this subject.
Training tips for the ER staff
Misconception about what HIPAA permits and does not permit ER staff members to say and do often presents a far greater challenge than the frenetic pace of their work environment, Tulloch says.
“Most healthcare workers in the ER go too far and are not willing to discuss a patient’s condition [when they should],” he says.
For example, when a patient is unconscious due to alcohol poisoning, a family member, usually a parent, will often request information.
“Often, the parents are not informed because the healthcare worker fears violating HIPAA,” Tulloch says. “Healthcare workers need to be educated as to their freedom under HIPAA, as well as when and from whom to protect the information.I am afraid this education is lacking.”
Real-life scenarios are ideal training tools, even in the form of a quick pop quiz. Occasionally, ask staff members how they would respond in various situations. This will facilitate staff members’ awareness of HIPAA and encourage them to think about the appropriate response instead of hiding behind HIPAA.
Oral communication is another topic that requires frequent review. Teach staff members what constitutes oral communication and how to protect it, Miller says. This training must occur periodically.
Your policy should require education for ER staff members to ensure that they comply with HIPAA and that they understand when it does not apply in the ER.