Attorneys Jeffry Adest and Stacey Gulick outline reasonable ways to protect patient privacy in the ED.

The unique physical structure, patient population, staffing, and regulatory requirements in EDs present particular challenges in relation to the privacy standards of HIPAA. ED staff must frequently balance HIPAA requirements regarding privacy of patient information against ensuring the provision of timely and appropriate care to acutely ill or injured patients.

One of the challenges faced by ED staff on a daily basis is protecting conversations among patients, physicians, and ED staff. In the close confines of the ED, it is virtually impossible to restrict conversations to truly private situations. The reality is that staff must communicate regarding critical decisions in an expedient fashion.

Fortunately, the Office of Civil Rights (OCR) has recognized that patient care is the primary concern of ED staff, and there are circumstances where it is not possible to avoid incidental disclosures of patient information. Indeed, in the frequently-asked-question section of the OCR Web site, OCR explicitly states that providers may engage in communications as required for quick, effective, high quality healthcare.

Of course, this is not a license to ignore HIPAA requirements. ED staff are required to implement realistic and reasonable safeguards to minimize the risk of disclosures. In determining what reasonable safeguards are, ED staff need to balance potential risks to patient privacy against (1) the potential effects that the proposed safeguards may have on patient care and (2) the administrative or financial burden that may result from the proposed safeguards. When weighing these considerations, EDs may take into consideration the steps that other prudent ED staff are taking to protect patient privacy.

For instance, OCR has stated that the requirement for reasonable safeguards does not necessarily require constructing physical barriers or reconfiguring the physical layout of the ED. Instead, OCR suggests that curtains placed between patient treatment areas may be a more realistic and reasonable approach.

Other possibilities for minimizing inadvertent disclosures include attempting to keep family members in designated areas (e.g., waiting rooms or in the curtained area where their family members are being treated) and trying to limit the number of individuals freely roaming the ED. Additionally, ED staff should receive training regarding the unique concerns of the ED, such as encouraging providers to hold non-emergency phone conversations in areas where they are not likely to be overheard.

A similar concern is patient information posted in the nurses’ station (on a whiteboard or computer screen), recorded on paper charts, or visible on hand-held devices carried by ED staff. Reasonable steps to safeguard this information include keeping the information behind the station counters rather than on top, having boards or computer screens face away from areas where the greatest visitor flow occurs, ensuring that records and hand-held devices are not left in unprotected areas, using initials or other codes to identify patients, and installing screen savers.

Handling disclosure
ED staffers are on the front lines to handle questions from family members, friends, and sometimes the media regarding the location or status of patients. HIPAA permits covered entities to provide general information from facility directories, consisting of the patient’s name, location in the facility, and health condition expressed in general terms (i.e., terms that do not communicate specific medical information).

Furthermore, HIPAA permits a covered entity to maintain multiple versions of its patient directory in different locations. For instance, EDs that maintain directory information (even though separate from the hospital’s main directory) may still disclose the limited information discussed above.

EDs must remember that, even though HIPAA permits the disclosures discussed above, patients must be given an opportunity to object to the use of their information in the facility directory. This does not mean patients must consent prior to use of their information in the facility directory. Rather, patients must be informed about the facility directory (perhaps in the hospital’s privacy notice) and given instruction to request exclusion from it.

Individuals who are unable to object (e.g., unconscious patients) may be included in the facility directory, provided that inclusion in the directory is consistent with any previous requests, is in the best interests of the individual, and the individual is given an opportunity to object as soon as reasonably possible.

EDs may disclose more detailed information regarding patients to other providers for treatment, payment, and certain healthcare operations. For example, ED staff can call a patient’s primary care physician regarding the patient’s ED admission or receive information from ambulance staff regarding the patient’s status, provide an ambulance company with a patient’s demographic information for billing purposes, and share patient information as part of training of medical students or residents.

HIPAA also allows ED staff to share information about a patient with the patient’s family members or other caregiver. If the patient has capacity, ED staff should obtain the patient’s consent, allow the patient an opportunity to object to the disclosure by making any disclosures in the patient’s presence, or, if the patient cannot be present, use professional judgment to determine that the patient would not object and that the disclosure is in the best interest
of the patient. If the patient does not have capacity, the ED staff may use their professional judgment to determine that the disclosure is in the best interest of the patient.

Special circumstances
In a disaster, EDs must be prepared to quickly respond to the needs of a crisis-ridden population. Following the events that occurred after Hurricane Katrina, OCR published guidelines regarding disclosure of patient information in a disaster. These guidelines remind providers that, during a disaster, treatment, identification of patients, notification of families, and protection of patients from further harm become even more critical. For example, OCR has emphasized that, in an emergency, EDs are permitted to coordinate care with emergency relief workers.

To ensure communication among displaced families and individuals, the ED can maintain a directory (as discussed above) and can disclose information regarding a patient’s location and general condition (or death), as necessary to identify, locate, and notify family members or anyone else responsible for the patient’s care.

For example, the ED may notify the police, the press, or the public at large to the extent necessary to help locate, identify, or otherwise notify family members of the location of patients. Prior to making such disclosure, the ED should try to obtain verbal permission from the patient. It is not necessary to request the patient’s permission if (1) the patient is not able to consent and the ED staff determine in their professional judgment that the disclosure is in the patient’s best interest or (2) the disclosure is to a disaster relief organizations that is authorized by law to assist in disaster relief efforts (e.g., the American Red Cross) and obtaining the patient’s permission would interfere with the organization’s ability to respond to the emergency.

Another HIPAA concern encountered frequently in the ED is requests from, or disclosures to, law enforcement. HIPAA contains detailed rules regarding these types of disclosures, which are designed to balance the protections of the patient’s privacy and the needs of law enforcement officials.

While a detailed analysis of the rules regarding disclosures to law enforcement is beyond the scope of this article, HIPAA does permit the ED to provide information to law enforcement officials in response to certain requests or to report certain activities or observations. Nevertheless, ED staff are not permitted to disclose patient information every time a law enforcement official requests it. For example, under HIPAA, ED staff can respond to a court order for patient information (unless there are special requirements under state law). However, if a police officer simply makes a verbal request for a list of patients seen on a certain date with a specific diagnosis, the ED staff will most likely not be permitted to provide the information, unless the request otherwise fits within one of the HIPAA exceptions. These requests should generally be referred to the hospital’s risk manager and/or counsel.

It’s clear that EDs must balance their primary purpose of treating patients against the need to protect the privacy of patient information and should attempt to develop policies and training programs that focus on these unique issues so staff can be appropriately prepared for difficult situations.

Jeffry Adest is a partner and Stacey Gulick is an associate with Garfunkel, Wild & Travis, a law firm specializing in healthcare with offices in New York, Connecticut, and New Jersey.