In response to the Tropical Storm Barry that made landfall in Louisiana on July 13, the Secretary of the US Department of Health and Human Services has issued a limited waiver of HIPAA sanctions and penalties.
The HHS announced a public health emergencies in the areas affected by the storm on July 12, 2019.
The waiver only applies to covered entities in areas where a public health emergency has been declared. Furthermore, the waiver only covers the 72 hours immediately following the implementation of the hospital’s disaster protocol.
The waiver is only effective for specific provisions of the HIPAA Privacy Rule. These include:
- The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient’s right to request confidential communications. See 45 CFR 164.522(b)
When the 72-hour window elapses, or as soon as the Presidential or Secretarial declaration terminates, the waiver ceases to apply. At this point, covered entities must comply with the above provisions of the Privacy Rule for all patients still under their care as normal. This applies even for patients still under their at the time the declaration ends, even if the 72-hour time window has not expired.
Not every emergency warrants the waiver of sanctions and penalties for violations of limited provisions of the HIPAA Privacy Rule. However, the introduction of a waiver does offer some reassurance to covered entities that are operating in a disaster area that they will not accidentally violate HIPAA in the process of coordinating disaster relief.
The Department of Health and Human Services recently stated that in emergency situations, covered entities are permitted to share limited protected health information of patients even if a waiver has not been issued. They are not violating HIPAA when sharing information if it is in the best interests of patients to do so, helps identify patients, helps locate family members, and for public health activities. In the case of the latter, it is permissible to share PHI with public health authorities such as a state or local health department or the CDC for preventing or controlling disease, injury or disability.
“We are working closely with state health and emergency management officials to anticipate the communities’ healthcare needs and be ready to meet them,” said HHS Secretary Azar.