HIPAA opioid guidanceThe Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it will be releasing new HIPAA Opioid Guidance in response to President Trump’s declaration of a nationwide public health emergency.

HHS is the executive body governing HIPAA regulation, and OCR is the HIPAA enforcement body behind the regulation.

The new HIPAA Opioid guidance will outline how and when healthcare professionals may share protected health information (PHI) in the event of an opioid-related health crisis. These crises can include incapacitation, like circumstances involving an opioid overdose.

Prior to the new HIPAA opioid guidance, healthcare providers were barred from sharing patient information in the event of an opioid overdose with the patient’s family, friends, and legal representatives. This limitation has been widely criticized by families of opioid-dependent individuals and health care professionals alike as an unnecessary burden that restricts quality of care.

“HHS is bringing all of the resources our department has to bear in order to address this crisis. This will ensure families have the right information when trying to help loved ones who are dealing with the scourge of drug addiction,” said Acting HHS Secretary Eric D. Hargan.

“We know that support from family members and friends is key to helping people struggling with opioid addiction, but their loved ones can’t help if they aren’t informed of the problem,” said Director Roger Severino, of the HHS Office for Civil Rights. “Our clarifying guidance will give medical professionals increased confidence in their ability to cooperate with friends and family members to help save lives.”

In general, the HIPAA Privacy Rule does not allow disclosures to family or legal representatives unless expressly stated in a proper patient consent form and accompanying HIPAA policy. Standards involving the disclosure of PHI to patients themselves are also heavily regulated under the HIPAA privacy rule.

Healthcare professionals are federal mandated to have documented HIPAA policies and procedures that address each aspect of HIPAA regulation. Regulatory standards are outlines in the HIPAA Privacy Rule, the HIPAA Security Rule, the HIPAA Breach Notification Rule, and the Omnibus Rule.

Without proper policies and procedures in place, health care organizations run the risk of HIPAA violations and significant financial penalties.