Hurricanes & HIPAA – Limited Waivers During Declared Emergencies

In the aftermath of Hurricanes Harvey and Irma and with the Atlantic hurricane season hitting its midway point, the US Department of Health and Human Services (“HHS”) issued a bulletin outlining a limited waiver of HIPAA sanctions and penalties resulting from any violations that occur during a state of emergency. The stated purpose of this waiver is to facilitate assistance in disaster relief and to ensure patients are receiving the care they need in such circumstances. The bulletin states that because severe disasters (such as Hurricane Harvey) impose many additional challenges on health care providers, the Secretary of HHS may declare a public health emergency and subsequently waive certain provisions of the HIPAA Privacy Rule, though at no point is the Privacy Rule itself fully suspended.

During such a declared emergency, the Secretary may waive sanctions and penalties against covered entities for failing to comply with certain HIPAA requirements: the requirement to obtain a patient’s agreement to speak with family members or friends involved with the patient’s care; the requirement to honor a request to opt out of the facility’s directory; the requirement to distribute a notice of privacy practices; the patient’s right to request privacy restrictions; and the patient’s right to request confidential communications. When such an emergency waiver is issued, it applies only: in the designated emergency area, for the period of time identified in the emergency declaration, to hospitals that have instituted a disaster protocol, and for up to 72 hours from the time the hospital implements its disaster protocol. However, when such an emergency declaration terminates, full compliance with the Privacy Rule is again compulsory, regardless of whether 72 hours has passed since implementation of a health care provider’s disaster protocol. Furthermore, it is essential to keep in mind that even when relying on a limited waiver, covered entities must continue to protect patient information and to share patient information only to the minimum necessary to accomplish the purpose of said sharing.

The information contained in this bulletin is important for all covered entities and business associates to be familiar with in order to both comply with the law and to make use of the waiver if the occasion were to arise. Its importance is only further highlighted as Hurricane Harvey and Hurricane Irma relief efforts continue.

The bulletin can be accessed here: Hurricane Harvey & HIPAA Bulletin: Limited Waiver of HIPAA Sanctions and Penalties During a Declared Emergency