In most instances, emergency notification systems for business would not be implemented in order to share Protected Health Information (PHI); but if there was an event that required the sending of PHI, are emergency notification systems for business HIPAA-compliant?
Emergency notification systems for business are software platforms most often deployed for warning personnel to any potential danger. Examples of events in which such systems might be used are incoming hurricanes, chemical spills, active shooter events, and wildfires; and therefore it would be unusual for Protected Health information (PHI) to be shared in the context of an emergency notification.
Additionally, outside of the healthcare and healthcare insurance sectors, companies can usually send employees’ personal details via emergency notification systems because they are not covered by HIPAA regulations. Exceptions are om place (i.e. self-insured group health plans), but it is hard to think of an instance in which a self-insured employer would share PHI in an emergency notification.
Emergency Notification Systems for Healthcare Groups
Emergency notification systems for companies in the healthcare and healthcare insurance sector should never be implemented to share PHI except in the exceptions mentioned below. This is because emergency notifications are sent using a variety of communication channels that are not considered HIPAA-compliant, and so the systems themselves would not be thought of as HIPAA-compliant.
Along with emergency notification systems for business using non-compliant channels of communication like SMS text, email, and social media, the systems do not adhere with the technical specifications of the HIPAA Security Rule inasmuch as recipients´ devices do not have automatic log out or PIN lock capabilities. It is also not possible to withdraw previously sent notifications.
Exceptions for Sharing PHI using Emergency Notification Systems
Two exceptions are in place for sharing PHI via emergency notification systems. The first is in the event of a major public health emergency, when the Department of Health and Human Services may suspend the HIPAA Privacy Rule or parts of the Privacy Rule. These suspensions are normally time-limited and subject to specific conditions, and may only apply to certain people (i.e. hospital in-patients only).
The second exception is when a person has given their consent in advance for their PHI to be sent with appropriate agencies at the time of an emergency. In order for this exception to apply, the Covered Entity must obtain written authorization and adhere to the “minimum necessary standard” – i.e. disclosing only the minimum necessary amount of data to achieve the intended purpose of the disclosure.
Although – in theory – it is possible to lengthen this second exception to all patients, and obtain every patient’s authorization beforehand, this course of action is unlikely to be successful. A patient can withdraw their consent at any point in time; and, as it is against HIPAA regulations to make health care treatment conditional on a patient providing authorization, a situation could arise in which it is okay to share some patients’ PHI, but not others. In an emergency, healthcare groups do not need extra administrative duties.